[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] HASH and URL

To: pki4ipsec@honor.icsalabs.com
Subject: [Ipsec] HASH and URL
From: suren <suren@intotoinc.com>
Date: 31 Aug 2004 11:08:49 -0700
Cc: ipsec@lists.tislabs.com
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Organization: Intoto, Inc.
Reply-to: suren@intotoinc.com
Sender: ipsec-bounces@ietf.org

Hi,
   As I understand, the IKE node can send Hash of public key of 
   its certificate and URL (including port number) from which the peer
   can retrieve its certificate. I guess, it is to ensure that there is
   no fragmentation on IKE packets as some routers might not honor
   fragmentation. 

   I see that there would be firewall related issues in this. 
   Since, the IKE needs to make a new connection (HTTP connection) to
   the URI given in Cert payload, any firewalls in between should have 
   a policy (ACL) to allow this HTTP connection.

   This could be a deployment problem. The administrator of firewall
   need to create a ACL to allow all connections outbound.  
   This is one of the problem being faced by administrators on CRLDP
  (CRL Distribution point) too. At least in this case, the distribution
   points are smaller and in most cases deterministic and the
   administrator of firewalls can create appropriate policies
   statically.

   What do you think of this following proposal.
   - IKE Peer which receives Certificate payload always sends its 
     IP address and port as part of URL.  (Assumption here is that, 
     all services typically are allowed between IPSec Peers).
   - When the IKE node receives HTTP request, it could send HTTP
     Redirect to new URL, which could be outside its node.
   - IKE Peer is expected to use same source IP address and Port 
     (May be using REUSE address option in sockets) to connect to 
     new HTTP Server and Port. 
   - Since, most of firewalls support 'address binding' feature, 
     it should work.

Does this make sense? Comments?

Thanks
Suren
www.intoto.com



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- [Ipsec] big IKE packets
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: [Ipsec] Some (hopefully final) comments to thedraft-ietf-ipsec-ikev2-15.txt
Next by Date: [Ipsec] big IKE packets
Previous by thread: [Ipsec] unknown
Next by thread: [Ipsec] big IKE packets
Index(es):
- Date
- Thread