Re: matching GW addr to ID payload (fwd)

[Tero Kivinen <kivinen@ssh.fi>]

Jan Vilhuber writes:
> But if you don't 'authenticate' the ID payload in any way, I would think it's

You did authenticate it, it is something the other end sent to you,
and it is authenticated because the hash that the other end calculated
using pre-shared key was correct.

So ID payload is authenticated to be sent by the other end. How much
you can trust to it is another matter, but it is authenticated. 

> insecure to select policy with it. Since PC-clients (or at least the one I'm
> familiar with) generally have the ID field as a configuration option, I could
> put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
> How would you know that I was NOT 'kivinen@iki.fi'?

I would you use the ip address as a primary key and if that key says
to me that this is laptop shared between you and me, and the ID
payload says it is kivinen@iki.fi, then the gw should use
kivinen@iki.fi's policy rules not yours... 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• Re: matching GW addr to ID payload (fwd)
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• Re: matching GW addr to ID payload (fwd)
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: matching GW addr to ID payload (fwd)
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: matching GW addr to ID payload (fwd)
• Prev by thread: Re: matching GW addr to ID payload (fwd)
• Next by thread: Re: matching GW addr to ID payload (fwd)
• Index(es):
  • Main
  • Thread