[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: "Me Tarzan, You Jane" in IKEv2-05
> >>>>> "Geoffrey" == Geoffrey Huang <ghuang@cisco.com> writes:
> Geoffrey> Granted, it depends on the type of identity
> presented. But if
> Geoffrey> you're
> Geoffrey> using something like user@fqdn type, ID_KEY_ID
> or even a cert
> Geoffrey> DN, the
>
> How. I'm mcr@sandelman.ca.
> What service do I want to connect to? Tell me.
*I* can't tell you that because *I* am not the security gateway ;-).
This has to be a policy decision configured at the gateway. Like if
you're mcr@sandelman.ca, what optional IDr would you present?
security-gateway.sandelman.ca? Then what's the point of presenting both
pieces of information, since the latter can be inferred from the former.
But as I said before, this isn't a thorn in my side - it's an optional
payload, so I'm not too bothered by it. I only wanted it to be
clarified what to do if the responder doesn't return the IDr the
initiator proposed.
-g
> ] ON HUMILITY: to err is human. To moo, bovine.
> | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON
> |net architect[
> ] mcr@sandelman.ottawa.on.ca
> http://www.sandelman.ottawa.on.ca/ |device > driver[
> ]
> panic("Just another Debian GNU/Linux using, kernel hacking,
> security guy"); [
>