[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
It seems that this problem started right about the time that NAI moved to a
new location.
At 11:37 AM 11/13/2002 -0500, Stephen Kent wrote:
>> > > > - with regard to identities, IPsec supports two basic types
>> of > > identities: addresses and symbolic names. > >And symbolic names
>> IMHO is the only way to establish/authenticate a >secure connection in a
>> dynamic environment. > > > - when names are used as identities, we need
>> to be able to map the > > name to a current address (during SA
>> establishment) so that we can > > make later decisions on a per-packet
>> basis using the current address. > >Absolutely. But start from symbolic
>> names, and map them to IP address >for Phase 2. Seems easy/trivial to
>> implement. Do we really do this mapping ? We either get separate ID
>> payload in phase II or the ip headers implicitly carry the phase II
>> identity. Do we ever try to validate this with the phase I identity e.g.
>> mapping the FQDN in Phase I to the IP address in Phase II (or reverse
>> lookup of IP address to phase I identity) or checking with the address
>> in certificate with the one in Phase II. thanks priya > > - we don't
>> have to trust an IPsec peer to assert the right name for > > itself or
>> an entity behind it. we need to have an authentication > > mechanism
>> that allows us to verify that the asserted name is valid > > relative to
>> some framework for names. > >Oh sure. If I say the entity name is "Uri
>> Blumenthal" - then there has >to be a key/cert associated with that
>> name. As it only matters for >signing the Phase 1 exchange to validate
>> IP address from which the >traffic is originating, for subsequent Phase
>> 2 things. > > > I suggest that we better document these notions, and
>> offer as > > examples, the sort of identification and authentication
>> processes I > > note above as we go forward with IKE v2. Comments? > >I
>> strongly support. > >And I want a relaxed identification - something
>> like "as long as >I can associate a key with the identity, the identity
>> is OK". ---------- MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*.
>
>this message is essentially unreadable. please try again if you want a
>response.
>
>Steve