[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: ipsec@lists.tislabs.com
Subject: Re: Adding revised identities to IKEv2
From: Mark Baugher <mbaugher@cisco.com>
Date: Wed, 13 Nov 2002 10:34:44 -0800
In-Reply-To: <p05100303b9f83012108e@[128.89.88.34]>
References: <F25gzDgtZKpjE5aHaZV00000208@hotmail.com><F25gzDgtZKpjE5aHaZV00000208@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

It seems that this problem started right about the time that NAI moved to a 
new location.

At 11:37 AM 11/13/2002 -0500, Stephen Kent wrote:
>>  > > > - with regard to identities, IPsec supports two basic types 
>> of > > identities: addresses and symbolic names. > >And symbolic names 
>> IMHO is the only way to establish/authenticate a >secure connection in a 
>> dynamic environment. > > > - when names are used as identities, we need 
>> to be able to map the > > name to a current address (during SA 
>> establishment) so that we can > > make later decisions on a per-packet 
>> basis using the current address. > >Absolutely. But start from symbolic 
>> names, and map them to IP address >for Phase 2. Seems easy/trivial to 
>> implement. Do we really do this mapping ? We either get separate ID 
>> payload in phase II or the ip headers implicitly carry the phase II 
>> identity. Do we ever try to validate this with the phase I identity e.g. 
>> mapping the FQDN in Phase I to the IP address in Phase II (or reverse 
>> lookup of IP address to phase I identity) or checking with the address 
>> in certificate with the one in Phase II. thanks priya > > - we don't 
>> have to trust an IPsec peer to assert the right name for > > itself or 
>> an entity behind it. we need to have an authentication > > mechanism 
>> that allows us to verify that the asserted name is valid > > relative to 
>> some framework for names. > >Oh sure. If I say the entity name is "Uri 
>> Blumenthal" - then there has >to be a key/cert associated with that 
>> name. As it only matters for >signing the Phase 1 exchange to validate 
>> IP address from which the >traffic is originating, for subsequent Phase 
>> 2 things. > > > I suggest that we better document these notions, and 
>> offer as > > examples, the sort of identification and authentication 
>> processes I > > note above as we go forward with IKE v2. Comments? > >I 
>> strongly support. > >And I want a relaxed identification - something 
>> like "as long as >I can associate a key with the identity, the identity 
>> is OK". ---------- MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*.
>
>this message is essentially unreadable. please try again if you want a 
>response.
>
>Steve

References:
- Re: Adding revised identities to IKEv2
  - From: "Padmapriya Parthasarathy" <padmapriyap@hotmail.com>
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Adding revised identities to IKEv2
Next by Date: Re: Suites vs a-la-carte
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Fwd: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread