Fwd: Re: Heartbeats Straw Poll

[Sankar Ramamoorthi <sankar@nexsi.com>]

This leads to an interesting question.
RFC 2459 does not mandate that subject-alternate-name based identities MUST be
unique. Hence you have the option of creating certificates with the same
IKE identity for SGW1 and SGW2 (same value in the subject-altname field).

Any comments on the effects of creating two certificates with the same
subject-alt-name identity and what it means to IKE authentication.

Thanks,

-- sankar --

----------  Forwarded Message  ----------
Subject: Re: Heartbeats Straw Poll
Date: Mon, 07 Aug 2000 11:44:45 -0400
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>


> >If SGW 1 dies SGW doesn't have a clue about the SPIs that SGW 3 is
> >sending. How he will inform the other end?
> 
> SGW2 could do a Main Mode under any Phase 1 policy that he has to SGW3 and in
> the process, tell him INITIAL-CONTACT.  No subsequent QM's would happen until
> the next packet hits SGW3.  You would want to rate limit this to prevent the
> obvious DoS attack on the receiving side.  

If your policies are certificate/name based rather than address-based,
this might not work so well (since you could have policy allowing
connections from any random address as long as it had the right cert).
I'd rather see schemes which put more of the burden on the peer which
both had state and had traffic to send.

BTW, I think that some sort of "IKE-level ping" facility would be very
useful as a diagnostic tool.  however, it should not be abused as a
"keepalive"/"make-dead" mechanism.

					- Bill
-------------------------------------------------------

-- 
sankar ramamoorthi
email:	sankar@nexsi.com
phone:  408-579-5718 (w)

---

• Prev by Date: RE: IPSec Configuration MIB
• Next by Date: Re: Heartbeats Straw Poll
• Prev by thread: RE: IPSec Configuration MIB
• Next by thread: IV sizes for AES candidates
• Index(es):
  • Main
  • Thread