[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Alex Alten <Alten@attbi.com>
Subject: Re: addresses and IKEv2
From: Stephen Kent <kent@bbn.com>
Date: Fri, 24 May 2002 10:24:46 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3.0.3.32.20020523222844.0139a9d8@mail>
References: <3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020523222844.0139a9d8@mail>
Sender: owner-ipsec@lists.tislabs.com

Alex,

>Steve,
>
>On the surface using a global name space like DNS seems like a good
>idea.  But the fundamental problem is that a DNS name maps to an IP
>address which is already a slippery beast.  Also not every IP address
>has a corresponding DNS name.  And a DNS name can map to multiple IP
>addresses.  So the certificate binding of a DNS name to a Public Key is
>not a practical approach.  A X.500 DN is even worse, except for LDAP
>trees, it is hardly used.

In IKE, the mapping between any symbolic name and an IP address is 
dynamic, so when this sort of symbolic name use is appropriate for 
locally administered access control (via the SPD), the problems your 
cite here do  not seem to arise.

>A much better approach is to have a large, global numerical address space.
>Each host then is assigned a unique security address from this space.  IP
>addresses can flit in and out of existence for a host, but it's security
>address remains fixed, a least for the duration between enrollment and
>revocation in an "IPsec global system".  If one can reliably assign a
>unique number to each host, then it can be used to look up the authentication
>key in a secure database to verify that indeed a particular host is assigned
>that number.  Once you can rely on this number, effectively a global host id,
>it is much more practical to automate the setting up of a VPN between two
>hosts, even in the context of Mobile IP or through a NAT or even between two
>different organizations.

I disagree. Experience has shown that access control systems are very 
much prone to human error when new forms of ID are introduced that 
are not readily understood by the people managing these systems. We 
are comfortable with DNS names, so DNS names are appropriate here. 
DNs are more descriptive in some contexts, and some people are 
comfortable with them, so they are appropriate in some contexts as 
well. A new set of globally unique, numerical IDs will be alien to 
everyone and will require mapping to some form of name that people do 
relate to, and the creation of that mapping will introduce errors.

>It seems to me that until the issue of how to effectively identify hosts and
>manage the resulting address space is agreed upon all the IKEs and JFKs
>will be failures.  Or at best they will only be a way to automate the key
>suite
>negotiation between two hosts (or VPN gateways), thus providing just a modest
>advantage over the manual keying that dominates IPsec VPN setup today.

I don't see your point. End users and system administrators already 
make use of the DNS to identify the vast majority of hosts, because 
this is the way that we refer to these hosts in our applications. 
Thus it makes sense to retain that way of identifying hosts in access 
control systems, to minimize confusion.

Steve

Follow-Ups:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>

Prev by Date: Re: Specification of tunnel/transport attribute in IKEv2
Next by Date: Re:
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread