[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: <ipsec@lists.tislabs.com>
Subject: Re: addresses and IKEv2
From: "Greg Carter" <greg@carter-engineering.com>
Date: Sun, 2 Jun 2002 20:04:07 -0400
References: <3.0.3.32.20020524164356.01289ba0@mail> <3.0.3.32.20020523222844.0139a9d8@mail> <3.0.3.32.20020517163806.013cc950@mail> <3.0.3.32.20020517110546.013cbfc0@mail> <3.0.3.32.20020517110546.013cbfc0@mail> <3.0.3.32.20020517163806.013cc950@mail> <3.0.3.32.20020523222844.0139a9d8@mail> <3.0.3.32.20020524164356.01289ba0@mail> <3.0.3.32.20020602125529.01372aa0@mail>
Sender: owner-ipsec@lists.tislabs.com

----- Original Message -----
From: "Alex Alten" <Alten@attbi.com>
To: "Stephen Kent" <kent@bbn.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Sunday, June 02, 2002 3:55 PM
Subject: Re: addresses and IKEv2

> Let's follow your arguement through.  I need to establish an IPsec
> connection to www.kent.com.  It is currently assigned to machine A which
> has an address of 200.200.200.1.  The next morning the admin decides to
> change the DNS entry to point to machine B at 200.200.200.2.  Now my
> IPsec connection will fail, even though machine A at 200.200.200.1 is
> still active!  Why? Because the key is residing on A not on B.  So using
> a cert with a DNS name bound to the key is useless.  Any system relying
> on it will quickly run into the problem of how do you keep DNS names and
> keys in synch across multiple machines.  And it is *not* good security
> practice to keep transferring private authentication keys (either AES or
> RSA) from machine to machine every time a DNS entry changes.  It makes a
> mockery of using a key to automate the authentication of a particular
> machine.  So certs are useless, you need the flexibility of reassigning a
> new DNS name to A's key!  But how can I find the new DNS name for A in
order
> to get the correct key?  To solve this problem, if you don't allow the DNS
> name www.kent.com to change to B then you defeat one of the main reasons
to
> use DNS.  A catch-22 results.  Therefore PKI certs & DNS don't mix.
>

There is no reason why the connection would fail to B.  B would (well at
least should) have been assigned a new certificate which contains the
desired DNS name, as part of the process of bringing it on line.  So when
you attempt to connect to B, IKE goes through the motions, you get B's
certificate (not A's) during phase one with the DNS name kent.com in it and
everything will validate.  There is no need to "share" a key pair across the
two machines.  If it is the administrators desire to have A remain active
for a time then yes two machines will have certificates that contain the
same DNS name.  If it is not then the administrator revokes A's certificate
at the same time he takes A off line and puts B on.

Greg

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>

Prev by Date: Re: addresses and IKEv2
Next by Date: RE: Public Keys to initiate IPsec.
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread