Re: Modefg considered harmful

["Derek Atkins" <derek@ihtfp.com>]

Van Aken Dirk <Dirk.VanAken@thomson.net> writes:

> I can understand your argument in the sense that IKE is doing the
> authentication of the identity and that somehow we want to bind this
> identity to an inner IP address. But on the other hand for static
> configurations this binding is not performed. e.g. Assume two SGW's talking

In a static configuration this binding is done statically.  For
example, you say in your policy: IKE-ID "alice" has address "1.2.3.4",
IKE-ID "bob" has addresses "2.3.4.16/28", and so on.  When you are
statically configured, you still get this binding -- it's just
performed, well, statically...

> Why should the road warrior/dynamic IP case be more secure than the
> SGW/static case ?

It's not "more secure".  I'm trying to make sure it is "as secure" as
a static configuration.  Without this binding it is most certainly
"less secure", because you may be letting invalid traffic through.

> > Similarly, I see nothing wrong with ModeCfg just configuring the IP
> > Address, and then using DHCP to obtain all the other configuration
> > once the network is up.  Indeed, modecfg could even provide the dhcp
> > address ;)
> 
> I guess there is consensus on this point; great ! So at least let's make the
> DHCP server attribute in IKEModeCfg as a MUST implement otherwise people
> cannot rely on it.

That's perfectly fine with me.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com