[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTION: 3.4 Preferred ID for responder



On Tue, 25 Jun 2002, Stephane Beaulieu wrote:

>
> >
> >
> > Please discuss and answer this question:
> >
> > 3.4 Preferred ID for responder
> >
> > 3.4.A) In JFK and IKEv2, the initiator can include a payload is an
> > indication to the responder as to what identity (and corresponding key
> > material) the responder should use to authenticate to the initiator. In
> > JFKr and IKEv2, this value is encrypted in message 3; in JFKi, it is sent
> > in the clear in message 1, thereby allowing a passive attack on the
> > responder's likely identity. Is it important to encrypt this identity?
>
> Isn't this the same question as 2.1.C? or am I just reading it wrong?
>

It's certainly related. There have been cases (which I promised Dan
I'd flesh out in more detail) where it's nice to have the initiator
tell the responder who HE (the initiator) thinks the responder
is. Does this blow the responder's cover? Maybe....

Example (as best I remember): You may want to host multiple 'domains'
on a single SGW, but you don't want to burn up one IP address per
virtual domain. The initiator may want to tell the responder which
service they are trying to reach, so that the responder can reply with
the appropriate credentials...

I thought Charlie came up with a cute moniker for this, but I can't
now remember what it was.

I remember being for this, but it would be nice if we had some more
concrete examples which could be debated...

jan


>
> >
> > Implications from the scenarios:
> >
> > [none]
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe