Re: matching GW addr to ID payload (fwd)

[Tero Kivinen <kivinen@ssh.fi>]

Jan Vilhuber writes:
> I would argue that it doesn't and that you can safely ignore the ID payload
> in the MM/pre-shared scenario, since it adds no value anyway.

For pre shared keys it doesn't offer anything. You have to know the
identity before ID payload anyways, because you need to select the
correct pre shared key before you can decrypt the ID payload. You can
use ID payload as a key to select correct policy for the quick mode,
but I don't think there is any use to require it to match the IP
address of the policy. This only applies for the pre shared keys. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• Re: matching GW addr to ID payload (fwd)
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• Re: matching GW addr to ID payload (fwd)
• From: Mike Carney <carney@securecomputing.com>
• Re: matching GW addr to ID payload (fwd)
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: RE: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: matching GW addr to ID payload (fwd)
• Next by thread: Re: matching GW addr to ID payload (fwd)
• Index(es):
  • Main
  • Thread