[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On the Use of SCTP with IPsec

To: "Angelos D. Keromytis" <angelos@keromytis.org>
Subject: Re: On the Use of SCTP with IPsec
From: "Jari Arkko" <jari.arkko@kolumbus.fi>
Date: Sun, 25 Feb 2001 21:53:22 +0200
Cc: <ipsec@lists.tislabs.com>
References: <200102220339.f1M3d1g00023@coredump.cis.upenn.edu>
Sender: owner-ipsec@lists.tislabs.com

Angelos D. Keromytis wrote:

> 1) I think this would require action on the part of the PKIX group; also
> note that the more expressive and complex the expressions you want in the
> "identity", the more the resemble a programming language of sorts (and
> I'll just point out our recent paper at NDSS on "Trust Management for
> IPsec").

I'm not sure I understand why PKIX needs to be involved. Weren't
you referring to my comment about the use of recursive identities
also in the context of other things, such as better specification of
how ICMP is treated? Even today we have ports and protocols in
the IDs, and we don't require them to appear in certs in any way...
if an implementation checks the validity of the phase 2 selectors
against the phase 1 identity, that check most likely omits the port/protocol
information, right?

But this reminds me of an issue that wasn't clear to me. In your
draft section 3.b you talk about IKE validating the phase 2
selectors, and getting sufficient info during phase 1 in order
to do this. But have you defined exactly how to do the "validation"?

- Do we always need to do validation in the first place? If multiple
  phase 2 selectors are proposed, couldn't it still be the case that the
  phase 1 identity is a trusted fqdn, for instance? 

- Is the validation an equality check on the IP addresses? Are only
  IP addresses allowed then? I suppose I can use less addresses in
  phase 2 than in phase 1, but not more?

- Suppose in phase 1, I present the certificate with AltName="1.1.1.1, 1.1.1.2"
  and the identity "1.1.1.1 OR 1.1.1.2". Can I present a phase 2 selector
  proposal of "1.1.1.0/31"?

- In the same style, can I use IPSEC_ID_IPV4_SUBNET for phase 1
  and individual addresses from this network in phase 2? How are the
  network/broadcast addresses treated in this case?

- Must we really require the addresses to be in the cert, too?
  What if somebody comes up with a multihomed SCTP node
  that uses dynamic IP addresses? This might happen easily
  in an IPv6 setting with a node that has multiple network cards,
  for instance.

Jari

Follow-Ups:

Re: On the Use of SCTP with IPsec

From: "Angelos D. Keromytis" <angelos@keromytis.org>

Re: On the Use of SCTP with IPsec

From: Markku Savela <msa@burp.tkv.asdf.org>

References:

Re: On the Use of SCTP with IPsec

From: "Angelos D. Keromytis" <angelos@keromytis.org>

Prev by Date: Re: On the Use of SCTP with IPsec
Next by Date: Re: On the Use of SCTP with IPsec
Prev by thread: Re: On the Use of SCTP with IPsec
Next by thread: Re: On the Use of SCTP with IPsec
Index(es):
- Main
- Thread