[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mobile IPv6 - IPsec interaction.
In your previous mail you wrote:
> In step (2), there is nothing that prevents a mobile node from using
> the home address of some other mobile node. How does the other
> end (the home agent or the correspondent node) verify that the
> mobile node is using the right home address ?
It verifies that the identity sent in the phase I matches its policy
database.
=> can you give more details about what you can find in the policy database
in your IKE implementation (I can't get enough public documentation)?
Example:
In the phase I can use any of the names inside the certificate as my
identity and the home agent can then know that only my laptop is able
to create that IKE SA. Thus after phase I succeeds it knows that it is
my laptop at the other end of that IKE SA.
=> this (identification+authentication) is known to be not enough for
the proper authorization.
Using my home address (11.22.33.44) as an identity of the phase I is a
bad idea, because some implementations check that IKE src address
matches the phase I id.
=> I agree: I know some of them and this check doesn't seem to be very
paranoic.
Thus it would be better using either user@fqdn or fqdn instead.
=> it will be hard to find a good reason to use something else in this case
(ie. the mobile node case).
In the phase II my laptop will create tunnel between 11.22.33.44 and
the home agent, and now the home agent knows that this IKE SA
connection is bound to my laptop which then is bound to home address
of 11.22.33.44, thus this operation can succeed.
=> the "then is bound to" is our point: how is it done?
You have to remeber that authentication of the remote end happens in
the Phase I, and after that you know who is on the other end of that
IKE SA.
=> we agree, the issue is an authorization (only!) issue.
Thanks
Francis.Dupont@enst-bretagne.fr
Follow-Ups:
References: