[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: help

To: ipsec@lists.tislabs.com
Subject: Re: help
From: Joern Sierwald <joern.sierwald@F-Secure.com>
Date: Mon, 02 Apr 2001 17:32:40 +0200
In-Reply-To: <3AC6A1C1.27057@bjapp5>
Sender: owner-ipsec@lists.tislabs.com

At 11:34 01.04.01 +0800, zhangdongyan wrote:
 >Dear sir:
 >    We are students of Harbin Institute of Technology of China.Now we are
learning IPSec Protocol.
 >
 >    We are have questions about IKE:
 >
 >  1.IKE Phase 1 Authenticated With a Pre-Shared Key:
 >    What is the difference between Vendor ID data(VID) which is in Vendor
ID    
 >Payload and Identification Data which is in Identification Payload? 
 >

The VID is rather unimportant, you may completely ignore it. It can be used 
to recognize different _implementations_ of IPsec. It is optional.

The ID payload is very important, it holds the names of the two parties.

 >  2.IKE Phase 1 Authenticated With Digital Signature:
 >    According to the RFC ¡°The Internet IP Security Domain of
Interpretation for 
 >¡°ISAKMP¡±, When an IKE exchange is authenticated using certificates (of
any format), any ID's used for input to local policy decisions SHOULD be
contained in the certificate used in the authentication of the exchange,
what we would like to know is Identification Data which is in
Identification Payload is equal to which part of certificates?

That depends on the _type_ if ID payload. If it's IP address, dns, or email,
the ID payload SHOULD be equal to the altSubjectName of the certificate.
That's a v3
extension of X.509. 

If the ID payload is a distinguished name, you should compare that to the 
normal subjectName of the certificate. (easy)

 >  3.IKE Phase 1 Authenticated With Public Key Encryption:
 >    Is Identification data to know by each other in advance? Is
Identification 
 >data used to find the other¡¯s public key and how to find the public key?

The responder takes the ID payload and checks it's local database for the
public key.
The local database should be indexed by the important ID types, such as IP
address,
full DN etc..

Please note that the common IKE implentations require Cert Request payloads
to work
properly. One host says "I trust this CA" by sending a Cert Request, and
the peer answers
with a certificate (during Phase 1). And vice versa. This way, both
computers should end
up holding the peer's certificate.

 >  4.IKE Phase 2
 >    Why initiator has two ID Payloads which are IDci and IDcr and How the 
 >initiator know the IDcr data? Is it necessary to have two ID Payloads by
responder and send to the initiator? Could you tell me the answer in detail?

Phase 2 is for a tunnel. And a tunnel connects two networks. So the
initiator has
to specify which two network he wants to connect. He might put his own IP
address
into IDci and "192.168.30.0/24" into IDcr, that'd be a request for a
host-to-gateway
connection.

 >   We are sorry for taking trouble for you. We want to understand the IKE
quickly
 >  so we are looking forward to hearing from you as soon as possible. Thank
you 
 >for your attention.
 >
 >Best Regards,
 >
 >Zhang Dongyan
 >Email:myredapple-@163.net
 >Hou Rui
 >Email:hithourui@yahoo.com.cn
 >

Jörn

Follow-Ups:

comment on draft-orman-public-key-lengths-02.txt

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

help

From: "zhangdongyan" <myredapple-@163.net>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-02.txt
Next by Date: comment on draft-orman-public-key-lengths-02.txt
Prev by thread: help
Next by thread: comment on draft-orman-public-key-lengths-02.txt
Index(es):
- Main
- Thread