[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Initial Contact Message processing
>>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:
Thor> On Thu, Jan 15, 2004 at 05:21:16AM +0200, Tero Kivinen wrote:
>> David Wierbowski writes: > Are you saying that an identity may use
>> IPSec from one device only?
>>
>> USer can use IPsec from multiple devices, but if you want to have
>> working solution going through NATs each identity should only be
>> tied to one device. This normally is the case, your private key is
>> only stored in exactly one machine, and it is tied to one
>> certificate having one identity. If you have another device you
>> use to connect to the same VPN you should have separate private
>> key and identity for that (for example FQDN).
Thor> It seems to me that implementations could easily allow the use
Thor> of the identity,address,port tuple instead of just "identity"
Thor> or "address,port" (the latter being a bug). This seems more
Thor> flexible and, to be honest, I don't see any downside to it at
Thor> all. Do you?
Thor> Requiring a different identity for each device used by a given
Thor> user is likely to cause severe problems with X.500 identies,
Thor> considering how certificates are usually allocated to users. I
Thor> worked on one implementation (IKEv1 without Initial Contact,
Thor> FWIW) where this would have been an utter disaster for some of
Thor> our largest customers.
Agreed.
Since a "device" can have multiple NICs, it can have multiple
addresses. So if "address" is used as part of the tuple that
distinguishes devices, how are multi-NIC devices handled?
paul