Re: MM with signatures and dynamic IP addresses?

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Francisco,

francisco_corella@hp.com wrote:

<trimmed...>
 
> The way I interpret the Ike spec, the security gateway is simply trusted to act
> on behalf of its clients and to vouch for the identity of its clients, without
> any cryptographic delegation of authority.  But one could do what you say if
> that trust is not there.

I think that there must be some implied delegation. The problem here is
that if we don't provide some delegation mechanism, we run the risk that
some sgw may claim to represent an endpoint with access to our network,
and that someone may now put (spoofed) packets into the tunnel. That sgw
may be one that is granted access for some purpose, but that we do not
expect to represent the particular endpoint that it subsequently
impersonates. Nobody else (e.g routers along the way) can see that this
is occurring.

One way to provide for such delegation is to configure, as part of the
phase 2 requirements, some phase 1 requirements including phase 1
identities.

>  In any event, I think this is orthogonal to the
> question of whether it is OK to have only one policy for phase 1, independent of
> the identity of the peer.

By "one policy for phase 1" do you refer only to cryptographic
parameters (and not identities or authentication mechanisms), i.e all
phase 1 SAs use 3DES/SHA1?

Scott

---

Follow-Ups:

• Re: MM with signatures and dynamic IP addresses?
• From: francisco_corella@hp.com

References:

• Re: MM with signatures and dynamic IP addresses?
• From: francisco_corella@hp.com

---

• Prev by Date: Re: MM with signatures and dynamic IP addresses?
• Next by Date: I-D ACTION:draft-ietf-ipsec-isakmp-hybrid-auth-03.txt
• Prev by thread: Re: MM with signatures and dynamic IP addresses?
• Next by thread: Re: MM with signatures and dynamic IP addresses?
• Index(es):
  • Main
  • Thread