[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: "Me Tarzan, You Jane" in IKEv2-05
> On Mon, 17 Mar 2003, Geoffrey Huang wrote:
> > > The average multi-user systems needs this so that it can do
> > > process to
> > > process tunnels with real credentials.
> >
> > Interesting, but I'm still convinced that the responder can use the
> > initiator's identity to determine how to respond.
>
> How does knowing the initiator tell you who he wishes to connect to?
> A server may well provide more than one service, and hence wish to be
> known under more than one identity.
Granted, it depends on the type of identity presented. But if you're
using something like user@fqdn type, ID_KEY_ID or even a cert DN, the
gateway can use that to demux what service you want to talk to. If I'm
ghuang@cisco, the gateway knows that I wouldn't be connecting to
were-not-cisco.com.
> As others have pointed out, the HTTP people initially made
> the mistake of
> assuming that the IP destination address was sufficient
> identification of
> the connection's target, and ended up deeply regretting it.
> The result
> has been a lot of unnecessary consumption of IP address space
> to provide
> servers with many IP addresses, something we definitely don't want to
> encourage further.
As long as it's clear what to do in weird cases (e.g., the responder
ignores the IDr payload, etc.) I'm not bothered.
-g
> Henry Spencer
>
> henry@spsystems.net
>
>