[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Modefg considered harmful
Hi Derek,
An afterthaugth ..
>
> This is why you need to tie the identifiers together. In MGCP you
> need to tie the MGCP identifier into IKE/IPsec. In the IPsec VPN you
> need to tie the Tunneled IP Addresses to the IKE ID. This means that
> the IKE policy (on the gateway) needs to know what address(es) are
> assigned to the road-warrior client.
I share your concern regarding tying the Tunneled IP address to the remote
peer identity.
But isn't this accomplished by ESP ? i.e I copied folllowing paragraph from
the second version of ESP:
(<http://www.ietf.org/internet-drafts/draft-ietf-ipsec-esp-v3-03.txt>)
Data origin authentication and connectionless integrity are joint
services, hereafter referred to jointly as "integrity." (This term is
employed because, on a per-packet basis, the computation being
performed provides connectionless integrity directly; data origin
authentication is provided indirectly as a result of binding the key
used to verify the integrity to the identity of the IPsec peer.
For me a secure solution is not only about IKE but it encompasses IKE, SPD,
SAD ESP and cryptography.
-----------------------------------------------------------
As of February 12, 2003 Thomson unifies its email addresses on a worldwide
basis.Please note my new email address: dirk.vanaken@thomson.net
Thomson is the leader in solutions and technologies for the entertainment
and media industries and serves its customers under its four strategic
brands: Technicolor, Grass Valley, RCA and THOMSON.
More about Thomson: http://www.thomson.net/videochain