[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Eric Rescorla writes:
> Michael Thomas <mat@cisco.com> writes:
>
> > Eric Rescorla writes:
> > > Michael Thomas <mat@cisco.com> writes:
> > > > Or something like this. Note that this doesn't
> > > > have anything to do with the *IKE* identity, it's
> > > > completely a property of the SA and its filters
> > > > that were derived from the policy which matched
> > > > for the mode and identity. It does, however,
> > > > enforce the property that you desired above,
> > > > especially when combined with the fact that you
> > > > need several round trips which establish that that
> > > > entity is, in fact, reachable at the outgoing
> > > > address.
> > > You must be joking.
> > >
> > > What, you've never heard of active attacks? IP spoofing?
> >
> > Yeah, yeah, and the application starting the TCP
> > connection got that IP address from DNS which
> > isn't secure either.
> What, you've never heard of DNSSEC?
Ah, I see we're in the land of pixies and unicorns.
Glad we've cleared that up.
Mike