[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 10:35 11/15/2002 -0800, Michael Thomas wrote:
> > this is a typical example of statements I disagree with: in fact
> > signing the Phase 1 exchange doesn't validate IP address. IMHO
> > you should agree the level of trust in this "validation" is *not*
> > at the level of trust of cryptographic signatures!
>
>If I'm understanding Francis correctly, I think I
>agree. Identity should not be bound up with IP
>addresses where the credential does not otherwise
>require it:
>1) Credentials are verified, 2) Authorization is applied given the policy in
>the SPD -- for IPsec, this means setting up ... parameters on the receiver
> side...*may* or *may* *not* have anything to do with the source IP address
>3) packets are ....checked, classified and run through ......#2........
>
>All of this should be *independent* of the IP address the key management
>protocol is being run on, and in fact should be completely separable.
Ah, with this I agree. I think you mean: not IP address but SA itself is
validated
by crypto signatures. That's fine.
Except that to the best of my knowledge, IP addresses are part of SA
information,
i.e. filtering is done NOT based solely on SPI...
And replying to Francis - I'm too lazy to check myself, but wasn't cookie
(which is
IP address-based) used then as a part of signed contents in IKEv1 exchange?
>It's really important that we keep this sort of separation as the ability
>to have SA's
>which are not tangled up with the current IP address is extremely useful
>for mobility
>and multihoming. More specifically, the ability to "project" SA's for
>mobility could be
>extremely handy.
I agree with this 100% and more. Strongly.