[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: addresses and IKEv2
Alex,
>Steve,
>
>On the surface using a global name space like DNS seems like a good
>idea. But the fundamental problem is that a DNS name maps to an IP
>address which is already a slippery beast. Also not every IP address
>has a corresponding DNS name. And a DNS name can map to multiple IP
>addresses. So the certificate binding of a DNS name to a Public Key is
>not a practical approach. A X.500 DN is even worse, except for LDAP
>trees, it is hardly used.
In IKE, the mapping between any symbolic name and an IP address is
dynamic, so when this sort of symbolic name use is appropriate for
locally administered access control (via the SPD), the problems your
cite here do not seem to arise.
>A much better approach is to have a large, global numerical address space.
>Each host then is assigned a unique security address from this space. IP
>addresses can flit in and out of existence for a host, but it's security
>address remains fixed, a least for the duration between enrollment and
>revocation in an "IPsec global system". If one can reliably assign a
>unique number to each host, then it can be used to look up the authentication
>key in a secure database to verify that indeed a particular host is assigned
>that number. Once you can rely on this number, effectively a global host id,
>it is much more practical to automate the setting up of a VPN between two
>hosts, even in the context of Mobile IP or through a NAT or even between two
>different organizations.
I disagree. Experience has shown that access control systems are very
much prone to human error when new forms of ID are introduced that
are not readily understood by the people managing these systems. We
are comfortable with DNS names, so DNS names are appropriate here.
DNs are more descriptive in some contexts, and some people are
comfortable with them, so they are appropriate in some contexts as
well. A new set of globally unique, numerical IDs will be alien to
everyone and will require mapping to some form of name that people do
relate to, and the creation of that mapping will introduce errors.
>It seems to me that until the issue of how to effectively identify hosts and
>manage the resulting address space is agreed upon all the IKEs and JFKs
>will be failures. Or at best they will only be a way to automate the key
>suite
>negotiation between two hosts (or VPN gateways), thus providing just a modest
>advantage over the manual keying that dominates IPsec VPN setup today.
I don't see your point. End users and system administrators already
make use of the DNS to identify the vast majority of hosts, because
this is the way that we refer to these hosts in our applications.
Thus it makes sense to retain that way of identifying hosts in access
control systems, to minimize confusion.
Steve