RE: "Me Tarzan, You Jane" in IKEv2-05

["Geoffrey Huang" <ghuang@cisco.com>]

> On Mon, 17 Mar 2003, Geoffrey Huang wrote:
> > >   The average multi-user systems needs this so that it can do 
> > > process to
> > > process tunnels with real credentials. 
> > 
> > Interesting, but I'm still convinced that the responder can use the
> > initiator's identity to determine how to respond.
> 
> How does knowing the initiator tell you who he wishes to connect to?
> A server may well provide more than one service, and hence wish to be
> known under more than one identity.

Granted, it depends on the type of identity presented.  But if you're
using something like user@fqdn type, ID_KEY_ID or even a cert DN, the
gateway can use that to demux what service you want to talk to.  If I'm
ghuang@cisco, the gateway knows that I wouldn't be connecting to
were-not-cisco.com.

> As others have pointed out, the HTTP people initially made 
> the mistake of
> assuming that the IP destination address was sufficient 
> identification of
> the connection's target, and ended up deeply regretting it.  
> The result
> has been a lot of unnecessary consumption of IP address space 
> to provide
> servers with many IP addresses, something we definitely don't want to
> encourage further. 

As long as it's clear what to do in weird cases (e.g., the responder
ignores the IDr payload, etc.) I'm not bothered.

-g

> Henry Spencer
>                                                        
> henry@spsystems.net
> 
>