[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mobile IPv6 - IPsec interaction.



 In your previous mail you wrote:

   > In step (2), there is nothing that prevents a mobile node from using
   > the home address of some other mobile node. How does the other
   > end (the home agent or the correspondent node) verify that the
   > mobile node is using the right home address ?
   
   It verifies that the identity sent in the phase I matches its policy
   database.
   
=> can you give more details about what you can find in the policy database
in your IKE implementation (I can't get enough public documentation)?

   Example:
   
   In the phase I can use any of the names inside the certificate as my
   identity and the home agent can then know that only my laptop is able
   to create that IKE SA. Thus after phase I succeeds it knows that it is
   my laptop at the other end of that IKE SA.
   
=> this (identification+authentication) is known to be not enough for
the proper authorization.

   Using my home address (11.22.33.44) as an identity of the phase I is a
   bad idea, because some implementations check that IKE src address
   matches the phase I id.

=> I agree: I know some of them and this check doesn't seem to be very
paranoic.

   Thus it would be better using either user@fqdn or fqdn instead.

=> it will be hard to find a good reason to use something else in this case
(ie. the mobile node case).
   
   In the phase II my laptop will create tunnel between 11.22.33.44 and
   the home agent, and now the home agent knows that this IKE SA
   connection is bound to my laptop which then is bound to home address
   of 11.22.33.44, thus this operation can succeed. 
   
=> the "then is bound to" is our point: how is it done?

   You have to remeber that authentication of the remote end happens in
   the Phase I, and after that you know who is on the other end of that
   IKE SA. 

=> we agree, the issue is an authorization (only!) issue.

Thanks

Francis.Dupont@enst-bretagne.fr


Follow-Ups: References: