[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: "Me Tarzan, You Jane" in IKEv2-05

To: IP Security List <ipsec@lists.tislabs.com>
Subject: RE: "Me Tarzan, You Jane" in IKEv2-05
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 18 Mar 2003 14:16:01 -0500 (EST)
In-Reply-To: <001e01c2ed7d$e5f133c0$e1a36b80@amer.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 18 Mar 2003, Geoffrey Huang wrote:
> >   How. I'm mcr@sandelman.ca.
> >   What service do I want to connect to? Tell me.
> 
> *I* can't tell you that because *I* am not the security gateway ;-).
> This has to be a policy decision configured at the gateway.

Suppose this is *not* a VPN, so it's *not* preconfigured down to the last
detail.  Then there is no policy which says which service mcr@sandelman.ca
might want, because there is no way to tell that in advance.

Even if it is preconfigured, for that matter, there might be more than one
service he might want, and hence no way to intuit a single answer. 

> ...you're mcr@sandelman.ca, what optional IDr would you present?
> security-gateway.sandelman.ca?

Why would he present a name associated with him?  IDr is meant to be an
identity meaningful on the responder, not on the initiator.  He would ask
for, say, area51.topsecretRandD.cisco.com.  There's no way you can infer
that from mcr@sandelman.ca.

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- RE: "Me Tarzan, You Jane" in IKEv2-05
  - From: "Jimmy Zhang" <jzhang@elmic.com>

References:
- RE: "Me Tarzan, You Jane" in IKEv2-05
  - From: "Geoffrey Huang" <ghuang@cisco.com>

Prev by Date: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by Date: Re: Me-Tarzan/You-Jane and key rollover (was Re: "Me Tarzan, You Jane" in IKEv2-05 )
Prev by thread: RE: "Me Tarzan, You Jane" in IKEv2-05
Next by thread: RE: "Me Tarzan, You Jane" in IKEv2-05
Index(es):
- Date
- Thread