[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Do ipsec vendors care about privacy?
Yoav Nir wrote:
[SNIP]
> If the client contacts the server and is able to produce a full
> ID_DER_ASN1_DN then we know it is not just a polling attack. But what if
> the client presents a ID_IPV4_ADDR? The IDr payload in message 3 was not
> intended to be used as a security measure. It was intended as a hint to the
> gateway as to which identity it should authenticate.
Agreed.
I think that if Bob doesn't receive IDi and AUTH payloads in message 2
then he understand that EAP authentication is going to be used.
Alice *MUST* send Bob a *valid IDr*. Valid IDs are all defined in
draft-ietf-ipsec-ikev2-05.txt except ID_IPV4_ADDR and ID_IPV6_ADDR.
In tha case Bob receives such an IDr (invalid) he *MUST* send the
notification message Yoav defined below.
What do the other think?
[SNIP]
> INVALID-RESPONTER-ID 37
> Indicates that the initiator has sent an unacceptable
> responder ID as part of the initial negotiation. This
> only causes an error if the initiator has not sent its
> own ID.
--
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------