[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: "Padmapriya Parthasarathy" <padmapriyap@hotmail.com>
Subject: Re: Adding revised identities to IKEv2
From: Stephen Kent <kent@bbn.com>
Date: Wed, 13 Nov 2002 11:37:04 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <F25gzDgtZKpjE5aHaZV00000208@hotmail.com>
References: <F25gzDgtZKpjE5aHaZV00000208@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

>  > > > - with regard to identities, IPsec supports two basic types 
>of > > identities: addresses and symbolic names. > >And symbolic 
>names IMHO is the only way to establish/authenticate a >secure 
>connection in a dynamic environment. > > > - when names are used as 
>identities, we need to be able to map the > > name to a current 
>address (during SA establishment) so that we can > > make later 
>decisions on a per-packet basis using the current 
>address. > >Absolutely. But start from symbolic names, and map them 
>to IP address >for Phase 2. Seems easy/trivial to implement. Do we 
>really do this mapping ? We either get separate ID payload in phase 
>II or the ip headers implicitly carry the phase II identity. Do we 
>ever try to validate this with the phase I identity e.g. mapping the 
>FQDN in Phase I to the IP address in Phase II (or reverse lookup of 
>IP address to phase I identity) or checking with the address in 
>certificate with the one in Phase II. thanks priya > > - we don't 
>have to trust an IPsec peer to assert the right name for > > itself 
>or an entity behind it. we need to have an authentication > > 
>mechanism that allows us to verify that the asserted name is 
>valid > > relative to some framework for names. > >Oh sure. If I say 
>the entity name is "Uri Blumenthal" - then there has >to be a 
>key/cert associated with that name. As it only matters for >signing 
>the Phase 1 exchange to validate IP address from which the >traffic 
>is originating, for subsequent Phase 2 things. > > > I suggest that 
>we better document these notions, and offer as > > examples, the 
>sort of identification and authentication processes I > > note above 
>as we go forward with IKE v2. Comments? > >I strongly 
>support. > >And I want a relaxed identification - something like "as 
>long as >I can associate a key with the identity, the identity is 
>OK". ---------- MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months 
>FREE*.

this message is essentially unreadable. please try again if you want 
a response.

Steve

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Mark Baugher <mbaugher@cisco.com>

References:
- Re: Adding revised identities to IKEv2
  - From: "Padmapriya Parthasarathy" <padmapriyap@hotmail.com>

Prev by Date: Fwd: Re: Adding revised identities to IKEv2
Next by Date: Re: draft-ietf-ipsec-pki-profile-01.txt
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread