[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Initial Contact Message processing











 Thor>> It seems to me that implementations could easily allow the use
 Thor>> of the identity,address,port tuple instead of just "identity"
 Thor>> or "address,port" (the latter being a bug).  This seems more
 Thor>> flexible and, to be honest, I don't see any downside to it at
 Thor>> all.  Do you?

 Thor>> Requiring a different identity for each device used by a given
 Thor>> user is likely to cause severe problems with X.500 identies,
 Thor>> considering how certificates are usually allocated to users.  I
 Thor>> worked on one implementation (IKEv1 without Initial Contact,
 Thor>> FWIW) where this would have been an utter disaster for some of
 Thor>> our largest customers.

 Paul> Agreed.

 Paul> Since a "device" can have multiple NICs, it can have multiple
 Paul> addresses.  So if "address" is used as part of the tuple that
 Paul> distinguishes devices, how are multi-NIC devices handled?

 Not sure this is the best answer, but on the implementation that I work
 on we would require multiple phase 1 SAs with that device.  One for every
 every NIC ( IP address) owned by the device from which a phase 2
negotiation
 would be started on.  Based on this thread we might be better off allowing
 all NICs to utilize the same SA.