[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ipsec] Re: [Pki4ipsec] HASH and URL
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "suren" == suren <suren@intoto.com> writes:
suren> Hi, As I understand, the IKE node can send Hash of public key
suren> of its certificate and URL (including port number) from which
suren> the peer can retrieve its certificate. I guess, it is to
suren> ensure that there is no fragmentation on IKE packets as some
suren> routers might not honor fragmentation.
suren> I see that there would be firewall related issues in
suren> this. Since, the IKE needs to make a new connection (HTTP
suren> connection) to the URI given in Cert payload, any firewalls
suren> in between should have a policy (ACL) to allow this HTTP
suren> connection.
Worse, given NAT/firewall, you can't tell the peer to "get it from
http://me:1234/mycert.pem"
It would be best if we had an option in the CERT REQ which told the
peer to please do an HTTP POST to some URL.
A responder would then be in a position to know if it can provide for
this service or not.
- --
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQTYkpoqHRg3pndX9AQGLVwP/TvRnsCZ8rkQ9Q+bKv89iRtoHIGBnbIfU
SyfJCc3hNDCu9UK4113TGDB1VwieGK4z8jrBL+z7CDEhJrFv4YQdCHeOlNajRC7Y
q0b/igy60RpOEALfaoPN+OYJoSdTXAg92ibg8mEXV9G7CdJFNjW23XrdGlXPXrWX
qCSf0mcZfOw=
=w7NJ
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec