[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: matching GW addr to ID payload (fwd)
On Thu, 2 Dec 1999, Bronislav Kavsan wrote:
> Jan,
>
> You said "How would you know that I was NOT 'kivinen@iki.fi'?"
> That's true - but the similar question could be asked: "How would you know
> that my IP Address is NOT 204.12.57.121"?
>
Do you mean ip-address as in 'source-ip-address' or 'ID_IPV4'? There's a big
difference. One selects the key, and one does not.
> Both schemes have exactly the same level of insecurity (though changing IP
> Address on my machine is much easier than changing the content of the ID
> Payload :).
>
No, they don't, but I may be missing something: If you change your
ip-address (barring NAT) I would pick a key based on the source-ip-address.
So this does have implications.
If you change the ID, nothing changes, except the string of bits that goes
into the hash. There's a difference.
> But at least using "cisco-gateway.com" allows me to ALWAYS check ID Payload
> and get through the NAT and do not make the special case for not checking
> ID Payload when using pre-shared key in MM.
>
What does checking the ID payload give you? I can't CHECK that you are
'cisco-gateway.com'. And I personally don't care if your ID payload claims
you are 1.1.1.1. Neither pieces of information enlighten me in any way, nor
are they particularly reliable, since you could be lying about them, and I
have no way of knowing. So I ignore them, and pick the key based on
source-ip-address (the only thing I CAN).
> Another option in the new draft could be to remove ID Payload altogether
> for MMs with pre-shared keys.
>
Either way, I don't get your points above. The problem is solved if you
simply ignore the ID payload in this situation. Pay no attention to it. I
carries no relevant information.
jan
> Jan Vilhuber wrote:
>
> > On Fri, 3 Dec 1999, Tero Kivinen wrote:
> > > Jan Vilhuber writes:
> > > > I would argue that it doesn't and that you can safely ignore the ID payload
> > > > in the MM/pre-shared scenario, since it adds no value anyway.
> > >
> > > For pre shared keys it doesn't offer anything. You have to know the
> > > identity before ID payload anyways, because you need to select the
> > > correct pre shared key before you can decrypt the ID payload. You can
> > > use ID payload as a key to select correct policy for the quick mode,
> > > but I don't think there is any use to require it to match the IP
> > > address of the policy. This only applies for the pre shared keys.
> >
> > But if you don't 'authenticate' the ID payload in any way, I would think it's
> > insecure to select policy with it. Since PC-clients (or at least the one I'm
> > familiar with) generally have the ID field as a configuration option, I could
> > put in an ID of 'kivinen@iki.fi'. Would you then use this to select policy?
> > How would you know that I was NOT 'kivinen@iki.fi'?
> >
> > Personally, I feel the ID in MM/pre-shared is pretty much superfluous and
> > should be ignored and not used for anything at all.
> >
> > Aggressive mode is different, since I have the option of picking the shared
> > secret based on the ID, so I can use it for policy selection (or whatever).
> >
> > jan
> > --
> > Jan Vilhuber vilhuber@cisco.com
> > Cisco Systems, San Jose (408) 527-0847
>
>
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: