[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Initial Contact Message processing
Thor>> It seems to me that implementations could easily allow the use
Thor>> of the identity,address,port tuple instead of just "identity"
Thor>> or "address,port" (the latter being a bug). This seems more
Thor>> flexible and, to be honest, I don't see any downside to it at
Thor>> all. Do you?
Thor>> Requiring a different identity for each device used by a given
Thor>> user is likely to cause severe problems with X.500 identies,
Thor>> considering how certificates are usually allocated to users. I
Thor>> worked on one implementation (IKEv1 without Initial Contact,
Thor>> FWIW) where this would have been an utter disaster for some of
Thor>> our largest customers.
Paul> Agreed.
Paul> Since a "device" can have multiple NICs, it can have multiple
Paul> addresses. So if "address" is used as part of the tuple that
Paul> distinguishes devices, how are multi-NIC devices handled?
Not sure this is the best answer, but on the implementation that I work
on we would require multiple phase 1 SAs with that device. One for every
every NIC ( IP address) owned by the device from which a phase 2
negotiation
would be started on. Based on this thread we might be better off allowing
all NICs to utilize the same SA.