Re: SPD name entries & IKE

[Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>]

At 1:17 PM -0500 1/21/04, Stephen Kent wrote:
> What we discovered, in talking with several folks, is that there 
> appears to be no standard way for the IKE initiator to signal to a 
> responder that the ID is to be used for the lookup, vs. the selector 
> payloads.

Correct.

>   To me, this suggests that we need yet one more minor modification 
> to IKE to accommodate this case.

Implementers seem to be of (at least) two minds on this. One camp 
says "the initiator has no right telling the responder what the 
responder should be doing in its security policy lookup". The other 
camp says "in a closed IPsec environment, the system administrator 
can tell the initiator how to tell the responder to use the ID for 
lookup". The revised identity discussion didn't come to agreement on 
this; it seems like it is a religious issue.

Looking at it a different way might help. In the presence of an 
authenticator, why would the responder ever use the information in 
the selector payloads? The authenticators are always externally 
assured. If they are preshared keys, the act of presharing assures 
both sides of the identities; if they are certs, the mutually-trusted 
CA assures both sides that the identities in the certs are valid. 
Selector payloads are just assertions by the initiator of what they 
are supposed to have access to. Always using the externally assured 
authenticators seems like a better idea.

--Paul Hoffman, Director
--VPN Consortium