[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "Me Tarzan, You Jane" in IKEv2-05

To: IP Security List <ipsec@lists.tislabs.com>
Subject: RE: "Me Tarzan, You Jane" in IKEv2-05
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 17 Mar 2003 19:31:29 -0500 (EST)
In-Reply-To: <000701c2ece1$13d8d790$6f8c8182@amer.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 17 Mar 2003, Geoffrey Huang wrote:
> Granted, it depends on the type of identity presented.  But if you're
> using something like user@fqdn type, ID_KEY_ID or even a cert DN, the
> gateway can use that to demux what service you want to talk to.  If I'm
> ghuang@cisco, the gateway knows that I wouldn't be connecting to
> were-not-cisco.com.

What this amounts to, I'm afraid, is saying that in some ad-hoc way,
people can subdivide the initiator identity into two subfields, the real
identity of the initiator and some indication of who he wants to talk to. 
(They aren't necessarily related, even with the aid of configuration data
on the responder end, except in restricted applications where all possible
network connections are preconfigured.)

To be blunt, saying "well, you can usually sort of intuit the target,
somehow, based on the initiator's identity" is a total botch.  Two
separate items of information ought to be carried in two separate
packages, so there is a *standard* way to separate them. 

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- RE: "Me Tarzan, You Jane" in IKEv2-05
  - From: "Geoffrey Huang" <ghuang@cisco.com>

Prev by Date: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by Date: Re: "Me Tarzan, You Jane" in IKEv2-05
Prev by thread: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by thread: Re: "Me Tarzan, You Jane" in IKEv2-05
Index(es):
- Date
- Thread