[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: Adding revised identities to IKEv2
From: Michael Thomas <mat@cisco.com>
Date: Thu, 21 Nov 2002 09:01:57 -0800 (PST)
Cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-Reply-To: <200211181541.gAIFfEte027647@givry.rennes.enst-bretagne.fr>
References: <p05100301b9fea8c97865@[128.89.88.34]><200211181541.gAIFfEte027647@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

Francis Dupont writes:
 >  In your previous mail you wrote:
 > 
 >    >=> this mapping from names to addresses is in this statement done
 >    >by looking the source address of received messages (i.e., address
 >    >IKE runs over).
 > 
 > => so the addresses I talk about are the outer addresses.
 > 
 >    >This cannot provide in all cases the needed flexibility
 >    >and safety. For instance the address can be changed "en route",
 >    >the peer can put a rogue address (a real concern for 1+1 exchanges),
 >    >etc. And if another mapping mechanism is used (IPaddress alternate
 >    >Subject names in certificates, DNS/DNSsec, etc) the balance between
 >    >flexibility and safety is not the same.
 >    >But my main concern is that this balance is not controled: this is just
 >    >the result of never documented implementation choices...
 >    
 >    An intermediate IPsec device has only per-packet header data 
 >    available as a basis for making access control decisions for traffic 
 >    on an extant SA. Thus we must bind the traffic for the SA to a set of 
 >    addresses that we know about when we establish the SA. For tunnel 
 >    mode, the outer addresses can change during the SA without breaking 
 >    the SA, but the inner addresses must remain constant (or at least be 
 >    part of the same set established during SA establishment). Those 
 >    addresses cannot be changed by black routers, NAT devices, etc., 
 >    since they are inside the protection boundary.
 >    
 > => my concern is about outer addresses: we need flexibility in order
 > to change when needed these addresses (I believe we agree about this
 > point) and we need safety in order to avoid DoS attacks using SA
 > establishment with rogue outer addresses.

Francis,

If I'm understanding this thread correctly, I
agree with your concern that tunnel endpoints
ought to be moveable. However, my understanding is
that this is mainly a *signaling* issue: eg IKE
doesn't have a way to tell the other IKE to move
the tunnel endpoint.

	   Mike

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: Adding revised identities to IKEv2
  - From: Stephen Kent <kent@bbn.com>
- Re: Adding revised identities to IKEv2
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: RE: Counter Mode Security: Analysis and Recommendations
Next by Date: RE: Counter Mode Security: Analysis and Recommendations
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread