Re: "Me Tarzan, You Jane" in IKEv2-05

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Geoffrey" == Geoffrey Huang <ghuang@cisco.com> writes:
    Geoffrey> I agree with Dan Harkins' previous comment that the responder
    Geoffrey> can pick how to authenticate itself based on the initiator's
    Geoffrey> identity.  Since both the IDi and the optional IDr come at the

  No, it can not. 
  The responder can only do this is it has a specific policy configured for
that particular ID. Maybe the very policy poor VPN systems that current
vendors configure this is possible. 
  There are lots of messages explaining other scenarios that have been
posted in the original thread on this, back in January.

  There are other deployment scenarios where the policy is created on the
fly, and the IDi may not have any pre-configured meaning to the
responder. The initiator needs to indicate to whom it wishes to connect to.

  We (the IETF) got this right with SMTP - Envelope from/to and header
from/to. We got it wrong with IKEv1.

see: http://www.sandelman.ca/ipsec/2002/12/msg00249.html
     

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [