[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Old discussion - subject - Me tarzan and me jane
Hi,
I went through messages posted on above subject, but did not find
any conclusion on that.
IPSEC implementations, today, compare ID data in received
ID payload with the ID information in Peer certificate and if no
certificate
ID matches with the ID in ID payload, the transaction is declined.
There was some discussion in Mar/Apr 2003 time frame, about making this
as local
matter, but it is creating inter operability problems.
I see somebody indicating that it is not possible to extract the ID from
certificate and that is why check should be made local matter. I hope
this can't be
justification and if that is so, then impersonation is possible.
Implementations,
at minimum, must ensure that one of IDs in certificate match (full or
partial)
with the ID configured locally in IKE policy.
I see one post indicating that, the sender may not know the ID that
needs to be
used while sending the ID in ID payload, as certificate may be having
multiple
IDs in it. This may be true, but in my view, any of the IDs can be sent
in ID
payload. Receiver of ID payload can ensure that, the received ID is
one of
the IDs in the certificate.
In my view, we should mandate
- Sender of ID payload MUST send any one of the IDs in his/her
certificate.
This ID should be one that is used by the receiver to identify for
giving
appropriate privileges.
- Receiver of ID payload MUST ensure that
-- Received ID is one of IDs in the peer certificate
-- Received ID matches (full or partial) with locally
configured 'Accepted Remote IDs'.
Thanks
Vamsi
CTO Office
www.intoto.com