[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MM with signatures and dynamic IP addresses?

To: Ari.Huttunen@F-Secure.com
Subject: Re: MM with signatures and dynamic IP addresses?
From: francisco_corella@hp.com
Date: Tue, 21 Dec 1999 19:56:39 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: <385F63C4.4B1F53ED@F-Secure.com>
Sender: owner-ipsec@lists.tislabs.com

Ari,

We were just discussing pretty much this same issue in another thread.

The issue also arises in other scenarios, and there are cases where the 
initiator rather than the responder faces the issue.  For example:

(*) The responder has a dynamically assigned IP address.  The initiator is a 
security gateway negociating on behalf of a client.  The client knows the 
dynamically assigned IP address of the responder, but the gateway does not.  The
client requests the establishment of a phase 2 SA with that IP address.  The 
gateway must first set up a phase 1 SA with that address, but does not know who 
it is talking to until it has received the ID payload from the responder during 
the phase 1 exchange.

(*) The responder has a perfectly normal statically assigned IP address.  The 
intiator is a gateway with a policy for the responder, but the policy is indexed
by the distinguished name of the responder rather than by the IP address.  A 
client of the gateway requests an SA with the IP address of the responder, and 
the rest is as above.

Notice that the above two cases cannot be solved by the use of aggressive mode.

In my opinion, the solution to this is very simple: have a policy for phase 1 
that is independent of the peer.  After all, one of the roles of phase 1 is to 
find out the identity of the peer, so it does not make sense to make phase 1 
policy dependent on who the peer is.

I believe this solution is consistent with RFC 2401.  Perhaps it is even the 
behavior that was intended by the authors of RFC 2401.  Am I right?  In any 
event, a clarification in RFC 2401 would be useful.

Francisco Corella

(francisco_corella@hp.com)

______________________________ Reply Separator _________________________________
Subject: MM with signatures and dynamic IP addresses?
Author:  Non-HP-Ari.Huttunen (Ari.Huttunen@F-Secure.com) at 
HP-ColSprings,mimegw5
Date:    12/21/99 3:25 AM


What is the responder supposed to do in the following scenario:
 Main mode with signature authentication is being used and the 
 initiator chooses the IP address dynamically.
     
Now, the responder needs to determine the security policy that is 
used to select the SAs from those proposed by the initiator. 
Unfortunately at this point the responder has no idea who the 
initiator is..
     
I can think of a few possible solutions: 1) the initiator 
only sends one choice so the responder cannot make a mistake, 
2) the responder tries to guess the strongest proposed SAs, 
3) use aggressive mode. 
     
Comments?
     
-- 
Ari Huttunen                   phone: +358 9 859 900 
Senior Software Engineer       fax  : +358 9 8599 0452
     
F-Secure Corporation       http://www.F-Secure.com 
     
F-Secure products: Integrated Solutions for Enterprise Security

Follow-Ups:

Re: MM with signatures and dynamic IP addresses?

From: "Scott G. Kelly" <skelly@redcreek.com>

References:

MM with signatures and dynamic IP addresses?

From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

Prev by Date: Re: A problem with public key encrption in IKE
Next by Date: RE: tell me something about the frees/wan
Prev by thread: MM with signatures and dynamic IP addresses?
Next by thread: Re: MM with signatures and dynamic IP addresses?
Index(es):
- Main
- Thread