[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing



On Thu, Jan 15, 2004 at 05:21:16AM +0200, Tero Kivinen wrote:
> David Wierbowski writes:
> > Are you saying that an identity may use IPSec from one device only?
> 
> USer can use IPsec from multiple devices, but if you want to have
> working solution going through NATs each identity should only be tied
> to one device. This normally is the case, your private key is only
> stored in exactly one machine, and it is tied to one certificate
> having one identity. If you have another device you use to connect to
> the same VPN you should have separate private key and identity for
> that (for example FQDN).

It seems to me that implementations could easily allow the use of
the identity,address,port tuple instead of just "identity" or
"address,port" (the latter being a bug).  This seems more flexible
and, to be honest, I don't see any downside to it at all.  Do you?

Requiring a different identity for each device used by a given user
is likely to cause severe problems with X.500 identies, considering 
how certificates are usually allocated to users.  I worked on one
implementation (IKEv1 without Initial Contact, FWIW) where this would
have been an utter disaster for some of our largest customers.

Thor