[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Michael Thomas <mat@cisco.com>
Subject: Re: Adding revised identities to IKEv2
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Thu, 21 Nov 2002 23:50:35 +0100
cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of Thu, 21 Nov 2002 09:01:57 PST. <15837.4485.707574.793760@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   If I'm understanding this thread correctly,

=> the main thread is about peer source addresses in IKE
but there is a sub-thread about the same thing than this message.

   I agree with your concern that tunnel endpoints
   ought to be moveable. However, my understanding is
   that this is mainly a *signaling* issue: eg IKE
   doesn't have a way to tell the other IKE to move
   the tunnel endpoint.
   
=> there is today an indirect way through rekeying (new phase 2)
but:
 - with PFS this is a bit expensive
 - so a new readdressing exchange should be wellcome
   (in IKEv2 which mandates "phase 2" PFS)
 - of course, implementations which use addresses in place of
   the SPI (aka cookies in IKEv1) to get the from phase 1 context
   have to be fixed!
Another point: spurious checks on the outer source address should not
be performed.
(BTW I believe we agree about these points)

Thanks

Francis.Dupont@enst-bretagne.fr

References:
- Re: Adding revised identities to IKEv2
  - From: Michael Thomas <mat@cisco.com>

Prev by Date: Re: SPD policy document/article
Next by Date: Re: Counter Mode Security: Analysis and Recommendations
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread