[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mobile IPv6 - IPsec interaction.
Mohan Parthasarathy writes:
> > It cannot use care of address as its identity in phase I. The care of
> > address does not have any meaning to the home agent. It needs to use
> > something in the phase I that will identify the mobile node to the
> > home agent.
> Agreed. I did not mean to use the care of address as the identity.
> I meant that one can't use the home address in phase I. If it
> could have used the home address, then there is no problem
Actually you can. The identity used in the phase I does not have to
match the ip address of the originating packet. It must match the
identity of the remote host.
> > It verifies that the identity sent in the phase I matches its policy
> > database.
> You mean to say that during phase II, you link the phase I identity
> and the IP address used in the ID payload of phase II and match it
> with that is in the certificate.
Not really. The Phase I identity is checked against the certificate,
and that identity is also used to search for the policy rules allowed
for the host. And that policy rule must then allow for that host to
create tunnel between those two hosts. The ip-number does not have to
be in the certificate (it can be and you can use that to verify that
it is correct), it can also be in the external policy mapping saying
that kivinen@ssh.fi can use home addresses of 11.22.33.44 or
11.22.33.45 (lets say I have my laptop and also my cellular phone, and
both of them are using the certificate I have on the smartcard to
authenticate themselves).
> > Example:
> >
> > My laptop (kaakeli.ssh.fi) has a home address of 11.22.33.44. I also
> > have certificate that is bound to this machine having names DN =
> > "C=Fi, O=SSH Communications Security, CN=Tero Kivinen",
> > user@fqdn = "kivinen@ssh.fi", fqdn = "kaakeli.ssh.fi" and ip =
> > "11.22.33.44" in it.
> >
> So, for every cell phone assume i have such a certificate issued.
I think that is the only way to do it... Pre-shared keys are just out
of question in that case...
> Assume i am using this to connect to some web site. As i keep
> moving, i keep sending binding updates to the server that
> i am connected to. Is it practical to assume that any
> arbitrary server that i connect to, will be able to get to
> these certificates and do these policy checks ? How
> does the server get to this policy information ?
If I understand correctly you send those binding updates to your home
agent, not to each web server.
If you really need to have SA between two random hosts in the
internet, then you need global PKI. We do not have such yet. DNSsec
might provide one, or we might end up having some kind of global X.509
PKI. Anyways that is completely different problem than protecting the
connection between two know hosts, mobile user and home agent.
--
kivinen@ssh.fi Work : +358 303 9870
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups:
References: