[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Phase 1 IDs ("son of IKE")
In message <200108062315.QAA09683@potomac.incog.com>, Mike "Ford" Ditto writes:
>
>The responder could conceivably use any information available, such as
>the proposed Phase I protection suite or the time of day.
What I meant was that the Responder cannot know what the Initiator had
in mind.
>One problem is that the initiator's policy may not express the
>desired/allowed remote identity in a simple form that can be conveyed to
>the responder. For example, the initiator's policy may allow a
>connection with any remote identity that has a certificate signed by a
>particular CA,
This particular case is possible by sending the appropriate CERTREQ message.
>But if the identity hint was used as an abstract name, rather than the
>exact identity that the responder is expected to use, it could be used
>as a kind of generic "scope" or "role" identifier. For example, if the
>initiator sends a hint of "internal-vpn.my.org", then a responder with
>many local identities could be configured to choose the identity that is
>appropriate for use as a gateway to the internal VPN when it sees that
>particular hint; for other hints it could be configured to use a more
>public identity.
My concern with this is that it's more complicated than the simple case of
"here's what I'd like you to use", both in terms of semantics, effort that
has to go in specs, and code.
In any case, as I said the Responder is free to ignore the hint and use some
other Phase 1 ID (which the Initiator may or may not like). Furthermore, the
Responder, given the hint and the Initiator's ID, has enough information to
in fact reverse the roles and act as an Initiator with the appropriate Phase 1
ID for itself.
Finally, the "pick the right role" can, at least partly, be done by examining
just the Initiator's Phase 1 ID. What I suggest is really useful for per-user
keying, less so for host/user-to-host.
-Angelos
Follow-Ups:
References: