[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
On Fri, 3 Dec 1999, Tero Kivinen wrote:
> Jan Vilhuber writes:
> > But if you don't 'authenticate' the ID payload in any way, I would think it's
>
> You did authenticate it, it is something the other end sent to you,
> and it is authenticated because the hash that the other end calculated
> using pre-shared key was correct.
>
> So ID payload is authenticated to be sent by the other end. How much
> you can trust to it is another matter, but it is authenticated.
>
Maybe this is semantics, but since the ID was not involved with the selection
of the pre-shared key, then it's not authenticated. The fact that it's in the
hash means only that both sides used the same value to stick into the hash,
but not that it's authenticated (unless I'm missing something).
> > insecure to select policy with it. Since PC-clients (or at least the one I'm
> > familiar with) generally have the ID field as a configuration option, I could
> > put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
> > How would you know that I was NOT 'kivinen@iki.fi'?
>
> I would you use the ip address as a primary key and if that key says
> to me that this is laptop shared between you and me, and the ID
> payload says it is kivinen@iki.fi, then the gw should use
> kivinen@iki.fi's policy rules not yours...
I suppose bringing up group-keys at this point wouldn't get us very far, so
I'll leave it out. If you assume that kivinen@iki.fi always has the same IP
address, then I agree this would work.
However when (dynamic) NAT and dynamic-ip-addresses are involved, this no
longer works, but then you shouldn't be using pre-shared keys for that
anyway. Not that that's stopping people...
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: