Re: Adding revised identities to IKEv2

[Michael Thomas <mat@cisco.com>]

Francis Dupont writes:
 >  In your previous mail you wrote:
 > 
 >    Oh sure. If I say the entity name is "Uri Blumenthal" - then there
 >    has to be a key/cert associated with that name. As it only matters
 >    for signing the Phase 1 exchange to validate IP address from which
 >    the traffic is originating, for subsequent Phase 2 things.
 >    
 > => this is a typical example of statements I disagree with: in fact
 > signing the Phase 1 exchange doesn't validate IP address. IMHO
 > you should agree the level of trust in this "validation" is *not*
 > at the level of trust of cryptographic signatures!

If I'm understanding Francis correctly, I think I
agree. Identity should not be bound up with IP
addresses where the credential does not otherwise
require it, cf x.509, kerberos, etc. The general
flow on the incoming side should be:

1) Credentials are verified
2) Authorization is applied given the policy in
   the SPD -- for IPsec, this means setting up filtering
   parameters on the receiver side... this *may*
   or *may* *not* have anything to do with the
   source IP address
3) packets are integrity checked, classified and
   run through the filters established in #2 for
   the enforcement

All of this should be *independent* of the IP
address the key management protocol is being run
on, and in fact should be completely separable.
It's really important that we keep this sort of
separation as the ability to have SA's which are
not tangled up with the current IP address is
extremely useful for mobility and multihoming.
More specifically, the ability to "project" SA's
for mobility could be extremely handy.

	     Mike