[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
Francis Dupont writes:
> In your previous mail you wrote:
>
> Oh sure. If I say the entity name is "Uri Blumenthal" - then there
> has to be a key/cert associated with that name. As it only matters
> for signing the Phase 1 exchange to validate IP address from which
> the traffic is originating, for subsequent Phase 2 things.
>
> => this is a typical example of statements I disagree with: in fact
> signing the Phase 1 exchange doesn't validate IP address. IMHO
> you should agree the level of trust in this "validation" is *not*
> at the level of trust of cryptographic signatures!
If I'm understanding Francis correctly, I think I
agree. Identity should not be bound up with IP
addresses where the credential does not otherwise
require it, cf x.509, kerberos, etc. The general
flow on the incoming side should be:
1) Credentials are verified
2) Authorization is applied given the policy in
the SPD -- for IPsec, this means setting up filtering
parameters on the receiver side... this *may*
or *may* *not* have anything to do with the
source IP address
3) packets are integrity checked, classified and
run through the filters established in #2 for
the enforcement
All of this should be *independent* of the IP
address the key management protocol is being run
on, and in fact should be completely separable.
It's really important that we keep this sort of
separation as the ability to have SA's which are
not tangled up with the current IP address is
extremely useful for mobility and multihoming.
More specifically, the ability to "project" SA's
for mobility could be extremely handy.
Mike