[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD name entries & IKE
At 1:17 PM -0500 1/21/04, Stephen Kent wrote:
>What we discovered, in talking with several folks, is that there
>appears to be no standard way for the IKE initiator to signal to a
>responder that the ID is to be used for the lookup, vs. the selector
>payloads.
Correct.
> To me, this suggests that we need yet one more minor modification
>to IKE to accommodate this case.
Implementers seem to be of (at least) two minds on this. One camp
says "the initiator has no right telling the responder what the
responder should be doing in its security policy lookup". The other
camp says "in a closed IPsec environment, the system administrator
can tell the initiator how to tell the responder to use the ID for
lookup". The revised identity discussion didn't come to agreement on
this; it seems like it is a religious issue.
Looking at it a different way might help. In the presence of an
authenticator, why would the responder ever use the information in
the selector payloads? The authenticators are always externally
assured. If they are preshared keys, the act of presharing assures
both sides of the identities; if they are certs, the mutually-trusted
CA assures both sides that the identities in the certs are valid.
Selector payloads are just assertions by the initiator of what they
are supposed to have access to. Always using the externally assured
authenticators seems like a better idea.
--Paul Hoffman, Director
--VPN Consortium