Re: SPD name entries & IKE

[Thor Lancelot Simon <tls@rek.tjls.com>]

On Wed, Jan 21, 2004 at 12:13:54PM -0800, vamsi wrote:
> 
> Some implementation, including ours, identify the remote roaming user by 
> their ID (ID in certificate
> OR ID from the payload) and corresponding SPD policies are activated upon 
> phase1 completion.
> While activating the SPD policies, the Destiantion IP address of outbound 
> policies and Source IP address
> of corresponding incoming policies are changed to the remote user's IP 
> address (Source  IP of phase1 first message).
> Due to this, Quick Mode (QM) succeeds and finds the right SPD policy by 
> matching with the selectors.

The ReefEdge implementation did something similar to this, at least when
I worked on it; I assume it still does.  For users with preshared key
authentication in IKE, we had to use an out-of-band mechanism to identify
the user and communicate a single-use PSK, which is conceptually similar
to what PIC does.

When we added certificate support, we ended up doing approximately what
vamsi describes.  I suspect that others who do so share another of our
concerns, which was that of securely binding together an identity used
in IKE with an identity used by a separate -- legacy or otherwise --
AAA system.  One thing you need to be *extremely* careful of when you
set out to do this is to avoid session-stealing attacks, in which a
different authorized user renegotiates Phase 1 and then may use the
network as the user you originally authenticated, and whose security
policy rules you looked up.  Essentially, this approach obligates you
to track which identities are used in Phase 1 and destroy *all* state
associated with a given IP address when that identity changes.  It is
possible, but I have seen other vendors get it wrong; indeed, we
very nearly got it wrong ourselves, and felt pretty lucky that we
managed to thrash out a better solution than our original one!

Thor