[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
Jan Vilhuber writes:
> But if you don't 'authenticate' the ID payload in any way, I would think it's
You did authenticate it, it is something the other end sent to you,
and it is authenticated because the hash that the other end calculated
using pre-shared key was correct.
So ID payload is authenticated to be sent by the other end. How much
you can trust to it is another matter, but it is authenticated.
> insecure to select policy with it. Since PC-clients (or at least the one I'm
> familiar with) generally have the ID field as a configuration option, I could
> put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
> How would you know that I was NOT 'kivinen@iki.fi'?
I would you use the ip address as a primary key and if that key says
to me that this is laptop shared between you and me, and the ID
payload says it is kivinen@iki.fi, then the gw should use
kivinen@iki.fi's policy rules not yours...
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups:
References: