[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: matching GW addr to ID payload (fwd)

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: matching GW addr to ID payload (fwd)
From: Henry Spencer <henry@spsystems.net>
Date: Thu, 2 Dec 1999 19:42:20 -0500 (EST)
In-Reply-To: <3846D7C2.58A34B8A@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 2 Dec 1999, Slava Kavsan wrote:
> And related question - is it "legal" to use non-IP Address ID types (e.g. UFQDN,
> USER_FQDN, etc.) for the ID Type in the pre-shared keys authentication?

There's nothing illegal about it, but ID payloads are of limited utility
with shared-secret authentication.  As others have pointed out, you have
to decide which shared secret to use -- to decrypt the message -- before
you can see any ID payload.

You could conceivably have multiple mobile machines sharing the same
secret (not generally a good idea) and determine which is calling by using
an ID payload. 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

Re: matching GW addr to ID payload (fwd)

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: matching GW addr to ID payload (fwd)
Prev by thread: Re: matching GW addr to ID payload (fwd)
Next by thread: Re: matching GW addr to ID payload (fwd)
Index(es):
- Main
- Thread