[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should Alice say who she wants to talk to?

To: Jan Vilhuber <vilhuber@cisco.com>
Subject: Re: Should Alice say who she wants to talk to?
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Date: Tue, 18 Dec 2001 12:43:44 +0200
CC: Sara Bitan <sarab@cs.Technion.AC.IL>, Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>, ipsec@lists.tislabs.com
Organization: F-Secure Corporation
References: <Pine.LNX.4.21.0112171524550.24216-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Jan Vilhuber wrote:
> 
> On Mon, 17 Dec 2001, Sara Bitan wrote:
> 
> > Radia - why aren't the (IKEv2 analog to) phase II IDs sufficient to handle
> > that scenario you are describing?
> 
> Because they are way too late in the exchange to be of any use in picking
> which identity a server may want to pose as.
> 
> > Does each one of the services/ the hosts behind the firewall have a distinct
> > private/public key pair?
> >
> Yes.

If the recipient ID was in plaintext, the firewall could also just forward the
IKE packet to some internal address, thus the private keys would be in different
boxes. This'd be a fancy form of NAT :). But it'd be secure. 

Is this necessary? That is the question.

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise

References:

Re: Should Alice say who she wants to talk to?

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: IKEv2 and NAT traversal
Next by Date: Re: IKE v2 Requirements and backwards compatability
Prev by thread: Re: Should Alice say who she wants to talk to?
Next by thread: Re: Should Alice say who she wants to talk to?
Index(es):
- Main
- Thread