[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Confirm decision on identity handling.
Michael Thomas <mat@cisco.com> writes:
> Eric Rescorla writes:
> > Michael Thomas <mat@cisco.com> writes:
> >
> > > Eric Rescorla writes:
> > > > Michael Thomas <mat@cisco.com> writes:
> > > > > Or something like this. Note that this doesn't
> > > > > have anything to do with the *IKE* identity, it's
> > > > > completely a property of the SA and its filters
> > > > > that were derived from the policy which matched
> > > > > for the mode and identity. It does, however,
> > > > > enforce the property that you desired above,
> > > > > especially when combined with the fact that you
> > > > > need several round trips which establish that that
> > > > > entity is, in fact, reachable at the outgoing
> > > > > address.
> > > > You must be joking.
> > > >
> > > > What, you've never heard of active attacks? IP spoofing?
> > >
> > > Yeah, yeah, and the application starting the TCP
> > > connection got that IP address from DNS which
> > > isn't secure either.
> > What, you've never heard of DNSSEC?
>
> Ah, I see we're in the land of pixies and unicorns.
>
> Glad we've cleared that up.
Given that you're the one suggesting that we ought to ignore
known possible active attacks, the appropriate response seems
to be:
Pot. Kettle. Black.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/