[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2



 In your previous mail you wrote:

   ...   
   	- when names are used as identities, we need to be able to 
   map the name to a current address (during SA establishment) so that 
   we can make later decisions on a per-packet basis using the current 
   address. in this case, we verify that the named entity is at whatever 
   address is asserted by it in real time, and just use that address 
   going forward.

=> this mapping from names to addresses is in this statement done
by looking the source address of received messages (i.e., address
IKE runs over). This cannot provide in all cases the needed flexibility
and safety. For instance the address can be changed "en route",
the peer can put a rogue address (a real concern for 1+1 exchanges),
etc. And if another mapping mechanism is used (IPaddress alternate
Subject names in certificates, DNS/DNSsec, etc) the balance between
flexibility and safety is not the same.
But my main concern is that this balance is not controled: this is just
the result of never documented implementation choices...

Thanks

Francis.Dupont@enst-bretagne.fr