[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On revised identity (was "Moving forward...final edits...)

To: ipsec@lists.tislabs.com
Subject: Re: On revised identity (was "Moving forward...final edits...)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 07 Feb 2003 14:16:24 -0500
In-reply-to: Your message of "Fri, 07 Feb 2003 11:26:45 EST." <20030207162645.GA4474@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
    Theodore> Tunnel Services, the VPN gateway could chose to use different
    Theodore> ID types based on how the initial connection was made, but that
    Theodore> would add complexity to its architecture/implementation --- and
    Theodore> so I wonder if an implementor might simply chose not to use
    Theodore> hash/URL at all, and just simply send the entire certificate
    Theodore> chain each time.

  yes, I'm sure that this will be the case. So what?
  You've just argued for why we need to be able to do things inline for 
intra-enterprise use.

  Frankly, I don't know why this situation is even mentioned. The laptops
have to be configured with a trusted root, and you need configure only one of
these. For the static situation where you only talk to one gateway, this is
trivial.

  For the more complicated situation where you need to be connected to the
mothercorp's gateway, and the gateway of the people you've been assigned to
help that week, you already have a significantly more complicated policy than
you described.

  The ability of the laptop to refer to their certificate *chain* indirectly
is of great use to the gateway, because the chain can be as sophisticated as
you like. 

  The hash/URL scheme is very useful for larger *VPN*s of equals -
particularly for cross-enteprises systems.

    Theodore> Basically, a hash/URL scheme can be made to work (and could be
    Theodore> added to either the existing ikev1/ikev2-04 framework, or in
    Theodore> the revised identity draft. ).  It is essentially a trade-off
    Theodore> between complexity (in terms of needing an http client engine
    Theodore> in an ipsec implementation plus some specialized rules about

  Btw, who said anything about needing the http client in the IKE?
  For all you know, the whole thing is passed on to a policy server that may
be an order of magnitude more complex.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkQGB4qHRg3pndX9AQEESgQAr1T2xExtK0EfRTNjZ+cwL2/aQ1sKe6+s
X6q2PdH9Thil1rie/SB5WkRP0JnPhXl7zIZCQbkLT1QIYdDHwlidT2++3WkHAFBM
yzCdyhkkOzKhf8twu1FyFs5uo3pdhXMPzXYjb64YuXepWtm+zfeZuMO2gRTymfIL
WomfBnA+/sY=
=8Ddp
-----END PGP SIGNATURE-----

References:
- Re: On revised identity (was "Moving forward...final edits...)
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: IPsec VPNs incl. modecfg vs. DHCP
Next by Date: Re: IPsec VPNs incl. modecfg vs. DHCP
Prev by thread: Re: On revised identity (was "Moving forward...final edits...)
Next by thread: a few nits on pure modecfgv2
Index(es):
- Date
- Thread