[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] HASH and URL
Hi,
As I understand, the IKE node can send Hash of public key of
its certificate and URL (including port number) from which the peer
can retrieve its certificate. I guess, it is to ensure that there is
no fragmentation on IKE packets as some routers might not honor
fragmentation.
I see that there would be firewall related issues in this.
Since, the IKE needs to make a new connection (HTTP connection) to
the URI given in Cert payload, any firewalls in between should have
a policy (ACL) to allow this HTTP connection.
This could be a deployment problem. The administrator of firewall
need to create a ACL to allow all connections outbound.
This is one of the problem being faced by administrators on CRLDP
(CRL Distribution point) too. At least in this case, the distribution
points are smaller and in most cases deterministic and the
administrator of firewalls can create appropriate policies
statically.
What do you think of this following proposal.
- IKE Peer which receives Certificate payload always sends its
IP address and port as part of URL. (Assumption here is that,
all services typically are allowed between IPSec Peers).
- When the IKE node receives HTTP request, it could send HTTP
Redirect to new URL, which could be outside its node.
- IKE Peer is expected to use same source IP address and Port
(May be using REUSE address option in sockets) to connect to
new HTTP Server and Port.
- Since, most of firewalls support 'address binding' feature,
it should work.
Does this make sense? Comments?
Thanks
Suren
www.intoto.com
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec