[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Phase 1 IDs ("son of IKE")
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Angelos" == Angelos D Keromytis <angelos@coredump.cis.upenn.edu> writes:
Angelos> What I'd like to suggest is that the Initiator be allowed to
Angelos> send a Responder Phase 1 ID payload, which the Responder will
Angelos> use as a hint as to what ID to use itself; the Responder can
Angelos> ignore this hint, at the risk of the exchange not being
Angelos> completed. The extra code to support this is fairly small (in
Angelos> the order of 50 lines, in OpenBSD isakmpd).
A la Host: header in HTTP?
I.e. "this is the ID which *I* thought I was contacting"
Angelos> This change allows for per-user authentication on IKE, and makes
I'm not sure that I follow this completely. You mean, individual users
can "respond" (via PF_* stuff...)
Angelos> much simpler Phase 1 negotiations where a) the Initiator and
Angelos> Responder roles change over time (because of unbalanced Phase 1
Angelos> SA expirations), *and* b) the Phase 1 ID used by the Initiator
Angelos> is not the same as that used when it acts as a Responder.
It seems to make sense to me.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface
iQCVAwUBO272uYqHRg3pndX9AQH21AP8CWerhFalJXFRgGmQutZ7PXWsCm3ncxRm
831gKb0XB6H9DXQfM6hF+aJvAyhed5QrDZBFgmoM+zvKGcVS2awC3vbNU/oxI9Ed
/MOyRIdECgcNklXRLru3cXZOT5+qp4HTbMn9OgT7Ei2gkqADh4tQpWdknOKKTtfX
eV1lf1lGZBw=
=A+66
-----END PGP SIGNATURE-----
References: