[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ipsec] Re: [Pki4ipsec] HASH and URL

To: pki4ipsec@honor.icsalabs.com, ipsec@lists.tislabs.com
Subject: [Ipsec] Re: [Pki4ipsec] HASH and URL
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 01 Sep 2004 15:36:10 -0400
Cc:
In-reply-to: Message from suren <suren@intoto.com> of "01 Sep 2004 11:54:50 PDT." <1094064890.2123.71.camel@suren>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <1094064890.2123.71.camel@suren>
Sender: ipsec-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "suren" == suren  <suren@intoto.com> writes:
    suren> Hi, As I understand, the IKE node can send Hash of public key
    suren> of its certificate and URL (including port number) from which
    suren> the peer can retrieve its certificate. I guess, it is to
    suren> ensure that there is no fragmentation on IKE packets as some
    suren> routers might not honor fragmentation.

    suren>    I see that there would be firewall related issues in
    suren> this. Since, the IKE needs to make a new connection (HTTP
    suren> connection) to the URI given in Cert payload, any firewalls
    suren> in between should have a policy (ACL) to allow this HTTP
    suren> connection.

  Worse, given NAT/firewall, you can't tell the peer to "get it from 
http://me:1234/mycert.pem";
 
  It would be best if we had an option in the CERT REQ which told the
peer to please do an HTTP POST to some URL. 
  A responder would then be in a position to know if it can provide for
this service or not.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQTYkpoqHRg3pndX9AQGLVwP/TvRnsCZ8rkQ9Q+bKv89iRtoHIGBnbIfU
SyfJCc3hNDCu9UK4113TGDB1VwieGK4z8jrBL+z7CDEhJrFv4YQdCHeOlNajRC7Y
q0b/igy60RpOEALfaoPN+OYJoSdTXAg92ibg8mEXV9G7CdJFNjW23XrdGlXPXrWX
qCSf0mcZfOw=
=w7NJ
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- [Ipsec] Re: [Pki4ipsec] HASH and URL
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: Re: [Ipsec] big IKE packets
Next by Date: Re: [Ipsec] big IKE packets
Previous by thread: [Ipsec] Server Error (ipsec@lists.tislabs.com)
Next by thread: [Ipsec] Re: [Pki4ipsec] HASH and URL
Index(es):
- Date
- Thread