[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "Me Tarzan, You Jane" in IKEv2-05

To: IP Security List <ipsec@lists.tislabs.com>
Subject: RE: "Me Tarzan, You Jane" in IKEv2-05
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 17 Mar 2003 14:48:10 -0500 (EST)
In-Reply-To: <001c01c2ecb8$53017fe0$e1a36b80@amer.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 17 Mar 2003, Geoffrey Huang wrote:
> >   The average multi-user systems needs this so that it can do 
> > process to
> > process tunnels with real credentials. 
> 
> Interesting, but I'm still convinced that the responder can use the
> initiator's identity to determine how to respond.

How does knowing the initiator tell you who he wishes to connect to?
A server may well provide more than one service, and hence wish to be
known under more than one identity.

As others have pointed out, the HTTP people initially made the mistake of
assuming that the IP destination address was sufficient identification of
the connection's target, and ended up deeply regretting it.  The result
has been a lot of unnecessary consumption of IP address space to provide
servers with many IP addresses, something we definitely don't want to
encourage further. 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- RE: "Me Tarzan, You Jane" in IKEv2-05
  - From: "Geoffrey Huang" <ghuang@cisco.com>

References:
- RE: "Me Tarzan, You Jane" in IKEv2-05
  - From: "Geoffrey Huang" <ghuang@cisco.com>

Prev by Date: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by Date: Re: New 12288 and 16384 bit groups
Prev by thread: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by thread: RE: "Me Tarzan, You Jane" in IKEv2-05
Index(es):
- Date
- Thread