[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Should Alice say who she wants to talk to?
Jan Vilhuber wrote:
>
> On Mon, 17 Dec 2001, Sara Bitan wrote:
>
> > Radia - why aren't the (IKEv2 analog to) phase II IDs sufficient to handle
> > that scenario you are describing?
>
> Because they are way too late in the exchange to be of any use in picking
> which identity a server may want to pose as.
>
> > Does each one of the services/ the hosts behind the firewall have a distinct
> > private/public key pair?
> >
> Yes.
If the recipient ID was in plaintext, the firewall could also just forward the
IKE packet to some internal address, thus the private keys would be in different
boxes. This'd be a fancy form of NAT :). But it'd be secure.
Is this necessary? That is the question.
Ari
--
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise
References: