[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: matching GW addr to ID payload (fwd)

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: matching GW addr to ID payload (fwd)
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Thu, 02 Dec 1999 18:46:29 -0500
CC: Tero Kivinen <kivinen@ssh.fi>, Mike Carney <carney@securecomputing.com>, Srinivasa Rao Addepalli <srao@ibondinc.com>, Tylor Allison <allison@securecomputing.com>, ipsec@lists.tislabs.com, carney@jumpsrv.stp.securecomputing.com
References: <Pine.SOL.3.96.991202150218.11132f-100000@jvilhube-ss20.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Jan,

You said "How would you know that I was NOT 'kivinen@iki.fi'?"
That's true - but the similar question could be asked: "How would you know that my
IP Address is  NOT 204.12.57.121"?

Both schemes have exactly the same level of insecurity (though changing IP Address
on my machine is much easier than changing the content of the ID Payload :).

But at least using "cisco-gateway.com" allows me to ALWAYS check ID Payload and get
through the NAT and do not make the special case for not checking ID Payload when
using pre-shared key in MM.

Another option in the new draft could be to remove ID Payload altogether for MMs
with pre-shared keys.

Jan Vilhuber wrote:

> On Fri, 3 Dec 1999, Tero Kivinen wrote:
> > Jan Vilhuber writes:
> > > I would argue that it doesn't and that you can safely ignore the ID payload
> > > in the MM/pre-shared scenario, since it adds no value anyway.
> >
> > For pre shared keys it doesn't offer anything. You have to know the
> > identity before ID payload anyways, because you need to select the
> > correct pre shared key before you can decrypt the ID payload. You can
> > use ID payload as a key to select correct policy for the quick mode,
> > but I don't think there is any use to require it to match the IP
> > address of the policy. This only applies for the pre shared keys.
>
> But if you don't 'authenticate' the ID payload in any way, I would think it's
> insecure to select policy with it. Since PC-clients (or at least the one I'm
> familiar with) generally have the ID field as a configuration option, I could
> put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
> How would you know that I was NOT 'kivinen@iki.fi'?
>
> Personally, I feel the ID in MM/pre-shared is pretty much superfluous and
> should be ignored and not used for anything at all.
>
> Aggressive mode is different, since I have the option of picking the shared
> secret based on the ID, so I can use it for policy selection (or whatever).
>
> jan
>  --
> Jan Vilhuber                                            vilhuber@cisco.com
> Cisco Systems, San Jose                                     (408) 527-0847

Follow-Ups:

Re: matching GW addr to ID payload (fwd)

From: Jan Vilhuber <vilhuber@cisco.com>

References:

Re: matching GW addr to ID payload (fwd)

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: matching GW addr to ID payload (fwd)
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: matching GW addr to ID payload (fwd)
Next by thread: Re: matching GW addr to ID payload (fwd)
Index(es):
- Main
- Thread