Re: Son-of-IKE Selection Criteria?

[Michael Thomas <mat@cisco.com>]

Steven M. Bellovin writes:
 > The real problem here is that it puts the local operator -- the ISP, 
 > the hotel, the conference LAN organizers -- in the critical path.  If 
 > one needs an address-based certificate, one can't do *anything* without 
 > local operator co-operation.  Apart from the fact that that doesn't 
 > scale very well -- between last Tuesday and next Friday, I'll have been 
 > in four different cities, have used or will use at least four different
 > LANs (two of which used borrowed jacks and/or IP addresses), etc., and 
 > I'd have used more if airports and train stations (and, for that 
 > matter, airplanes and trains) had 802.11 or Ethernet available.  Why 
 > should I need to go through that many ISPs instead of having a 
 > certificate (public key, actually) issued by my employer for VPN access?

With IP4 this is something of a hopeless
situation, but with IP6 things may be
better. Instead of certifying the entire address,
suppose you certified the suffix instead?  That
is, the identity is your NAI or whatever which is
independent of your attachment point. As far as I
can tell, this would solve this problem, though I
suppose you could complain about the birthday
paradox with djinned up private addresses.

	     Mike

---

References:

• Re: Son-of-IKE Selection Criteria?
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: Please kill preshared key.
• Next by Date: Re: Please kill preshared key.
• Prev by thread: Re: Son-of-IKE Selection Criteria?
• Next by thread: RE: Son-of-IKE Selection Criteria?
• Index(es):
  • Main
  • Thread