[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
On Fri, 3 Dec 1999, Tero Kivinen wrote:
> Jan Vilhuber writes:
> > I would argue that it doesn't and that you can safely ignore the ID payload
> > in the MM/pre-shared scenario, since it adds no value anyway.
>
> For pre shared keys it doesn't offer anything. You have to know the
> identity before ID payload anyways, because you need to select the
> correct pre shared key before you can decrypt the ID payload. You can
> use ID payload as a key to select correct policy for the quick mode,
> but I don't think there is any use to require it to match the IP
> address of the policy. This only applies for the pre shared keys.
But if you don't 'authenticate' the ID payload in any way, I would think it's
insecure to select policy with it. Since PC-clients (or at least the one I'm
familiar with) generally have the ID field as a configuration option, I could
put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
How would you know that I was NOT 'kivinen@iki.fi'?
Personally, I feel the ID in MM/pre-shared is pretty much superfluous and
should be ignored and not used for anything at all.
Aggressive mode is different, since I have the option of picking the shared
secret based on the ID, so I can use it for policy selection (or whatever).
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: