RE: Modefg considered harmful

[Van Aken Dirk <VanAkenD@thmulti.com>]

Hi Derek,

An afterthaugth ..
> 
> This is why you need to tie the identifiers together.  In MGCP you
> need to tie the MGCP identifier into IKE/IPsec.  In the IPsec VPN you
> need to tie the Tunneled IP Addresses to the IKE ID.  This means that
> the IKE policy (on the gateway) needs to know what address(es) are
> assigned to the road-warrior client.

I share your concern regarding tying the Tunneled IP address to the remote
peer identity.
But isn't this accomplished by ESP ? i.e I copied folllowing paragraph from
the second version of ESP:
(<http://www.ietf.org/internet-drafts/draft-ietf-ipsec-esp-v3-03.txt>)


   Data origin authentication and connectionless integrity are joint
   services, hereafter referred to jointly as "integrity." (This term is
   employed because, on a per-packet basis, the computation being
   performed provides connectionless integrity directly; data origin
   authentication is provided indirectly as a result of binding the key
   used to verify the integrity to the identity of the IPsec peer. 

For me a secure solution is not only about IKE but it encompasses IKE, SPD,
SAD ESP and cryptography.

----------------------------------------------------------- 
As of February 12, 2003 Thomson unifies its email addresses on a worldwide
basis.Please note my new email address: dirk.vanaken@thomson.net 

Thomson is the leader in solutions and technologies for the entertainment
and media industries and serves its customers under its four strategic
brands: Technicolor, Grass Valley, RCA and THOMSON. 
More about Thomson: http://www.thomson.net/videochain