[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing



>>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:

 Thor> On Thu, Jan 15, 2004 at 05:21:16AM +0200, Tero Kivinen wrote:
 >> David Wierbowski writes: > Are you saying that an identity may use
 >> IPSec from one device only?
 >> 
 >> USer can use IPsec from multiple devices, but if you want to have
 >> working solution going through NATs each identity should only be
 >> tied to one device. This normally is the case, your private key is
 >> only stored in exactly one machine, and it is tied to one
 >> certificate having one identity. If you have another device you
 >> use to connect to the same VPN you should have separate private
 >> key and identity for that (for example FQDN).

 Thor> It seems to me that implementations could easily allow the use
 Thor> of the identity,address,port tuple instead of just "identity"
 Thor> or "address,port" (the latter being a bug).  This seems more
 Thor> flexible and, to be honest, I don't see any downside to it at
 Thor> all.  Do you?

 Thor> Requiring a different identity for each device used by a given
 Thor> user is likely to cause severe problems with X.500 identies,
 Thor> considering how certificates are usually allocated to users.  I
 Thor> worked on one implementation (IKEv1 without Initial Contact,
 Thor> FWIW) where this would have been an utter disaster for some of
 Thor> our largest customers.

Agreed.

Since a "device" can have multiple NICs, it can have multiple
addresses.  So if "address" is used as part of the tuple that
distinguishes devices, how are multi-NIC devices handled?

	      paul