[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confirm decision on identity handling.



Eric Rescorla writes:
 > Michael Thomas <mat@cisco.com> writes:
 > 
 > > Eric Rescorla writes:
 > >  > Michael Thomas <mat@cisco.com> writes:
 > >  > > Or something like this. Note that this doesn't
 > >  > > have anything to do with the *IKE* identity, it's
 > >  > > completely a property of the SA and its filters
 > >  > > that were derived from the policy which matched
 > >  > > for the mode and identity. It does, however,
 > >  > > enforce the property that you desired above,
 > >  > > especially when combined with the fact that you
 > >  > > need several round trips which establish that that
 > >  > > entity is, in fact, reachable at the outgoing
 > >  > > address.
 > >  > You must be joking.
 > >  > 
 > >  > What, you've never heard of active attacks? IP spoofing?
 > > 
 > > Yeah, yeah, and the application starting the TCP
 > > connection got that IP address from DNS which
 > > isn't secure either.
 > What, you've never heard of DNSSEC?

Ah, I see we're in the land of pixies and unicorns.

Glad we've cleared that up.

	   Mike