Phase 1 IDs ("son of IKE")

["Angelos D. Keromytis" <angelos@coredump.cis.upenn.edu>]

Ted suggested I bring this up to the list:

Currently, the Responder in a Phase 1 (Main Mode) exchange picks the identity
to use based on the Initiator's IP address or Phase 1 ID, or uses some default
value (like the address of the interface the Phase 1 exchange occurs).

What I'd like to suggest is that the Initiator be allowed to send a Responder
Phase 1 ID payload, which the Responder will use as a hint as to what ID to
use itself; the Responder can ignore this hint, at the risk of the exchange
not being completed. The extra code to support this is fairly small (in the
order of 50 lines, in OpenBSD isakmpd).

This change allows for per-user authentication on IKE, and makes much simpler
Phase 1 negotiations where a) the Initiator and Responder roles change over
time (because of unbalanced Phase 1 SA expirations), *and* b) the Phase 1 ID
used by the Initiator is not the same as that used when it acts as a Responder.

Anyway, I'll say the same thing tomorrow at the WG meeting --- just wanted to
give some warning :-)
-Angelos

---

Follow-Ups:

• Re: Phase 1 IDs ("son of IKE")
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
• Re: Phase 1 IDs ("son of IKE")
• From: ford@apollo.incog.com (Mike "Ford" Ditto)

---

• Prev by Date: Re: isakmp cookies field
• Next by Date: RE: Position statement on IKE development
• Prev by thread: NAT-T drafts in 51st IETF
• Next by thread: Re: Phase 1 IDs ("son of IKE")
• Index(es):
  • Main
  • Thread