[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Me Tarzan, You Jane" in IKEv2-05

To: sommerfeld@east.sun.com
Subject: Re: "Me Tarzan, You Jane" in IKEv2-05
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 18 Mar 2003 15:22:09 -0800
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 18 Mar 2003 16:56:38 EST." <200303182156.h2ILucaj023939@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Bill" == Bill Sommerfeld <sommerfeld@east.sun.com> writes:
    >> I don't see how it matters how the binding is done. It is a local
    >> matter.  Maybe I have /etc/keys. The responder has a list of
    >> identities that it is authoritative for.

    Bill> yes, and it's likely to be the case that in peer-to-peer
    Bill> situations, initiator and responder may swap roles over the long
    Bill> run -- but the entity which was previously responder wants to
    Bill> ensure it talks to the same entity which was the initiator, and it
    Bill> could thus convert a received "me jane" into an outgoing "me
    Bill> tarzan, you jane" some time afterwards..

  Bill, I strongly agree with you - that it is best to be specific about
who we wish to talk to, because one can swap ends.

  But, I'm not sure if you are agreeing with me that the mapping of key
names to actual keys is a local matter.

===

  Dan, I've read pieces of -05 (I was intending to read it all tonight).

  I see that we have an identity payload that is not what I wrote at:
    http://www.sandelman.ca/ipsec/2002/12/msg00250.html

  but, is also not what Paul wrote at:
    http://www.sandelman.ottawa.on.ca/ipsec/2002/11/msg00018.html

  However, there is, section 1.2, page 7:

          HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
                  AUTH, SAi2, TSi, TSr}     -->

  I don't see any way in the ID payload down at section 3.5/page 43 to
know which is the IDi and which is the IDr in the third message.

  Since all of the IKEv1 types are still there, it should be simple to
implement Me-Tarzan/You-Jane. Since the CERT payload now has a RAW raw
key in it, we are there. Me-Tarzan/You-Jane is there at this point.

  I thought that the origin of this debate was whether or not to include it,
that Charlie hadn't yet, because it was not implemented.

  We do *not* need the *two-optional-pieces* in the message of last December.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPneqIIqHRg3pndX9AQHErAP/cX6eFsiGXIxgKQMz1RuSMWu1MZloJ2La
gLaECOb20wrIcK0IGqP+4FwKQ1pgK2psqgZEgMdSVczbRUaKgFzOmYA4ky+RJqhn
bVz2XM5uh/Qd9nMHQpuKVbQ69fTBCI5Khgfx7xo4F6Q3GMsvNweOXwAd7GrPPO1z
98OoVaAQ6Ao=
=Rx0w
-----END PGP SIGNATURE-----

References:
- Re: "Me Tarzan, You Jane" in IKEv2-05
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: draft-ietf-ipsec-ikev2-05.txt comments
Next by Date: Re: Use of AES as prf in IKEv2
Prev by thread: Re: "Me Tarzan, You Jane" in IKEv2-05
Next by thread: Me-Tarzan/You-Jane and key rollover (was Re: "Me Tarzan, You Jane" in IKEv2-05 )
Index(es):
- Date
- Thread