Re: [Ipsec] Negotiating IKE_SAs

[Yoav Nir <ynir@xxxxxxxxxxxxxx>]

What Paul said.

In practice, if and only if the peer has a fixed IP address, you can  
choose the proposal based on that.  However, you should not base  
security on this, and should have a plan to do something if the  
authentication in the IKE_AUTH exchange shows that you've chosen wrong.

On Nov 7, 2006, at 2:57 AM, David Wierbowski wrote:

> In the IKE_SA_INIT exchange the initiator sends an SA payload  
> listing acceptable proposals. The responder picks one and sends the  
> chosen proposal to the initiator. The identities of the IKE  
> endpoints are not exchanged until the IKE_AUTH exchange. If the  
> identities are not exchanged until the IKE_AUTH exchange, how does  
> the responder know which of the initiator's proposals are  
> acceptable during the IKE_SA_INIT exchange?
>
> RFC 4301 discusses the use of the SPD to find acceptable policy for  
> the creation of CHILD_SAs and it discusses the use of the PAD to  
> authenticate IKE endpoints. It does not appear to define a  
> construct to identify what policy is acceptable for the creation of  
> a of an IKE_SA with a specific IKE peer. Does this mean that RFCs  
> 4301 and 4306 do support the definition of peer specific policy for  
> IKE_SAs?
>
> RFC 4306 states, "All implementations of IKEv2 MUST include a  
> management facility that enables a user or system administrator to  
> specify the suites that are acceptable for use with IKE." This  
> seems to imply that peer specific IKE_SA policy should not be  
> defined and that the responder should pick the most secure proposal  
> that the responder supports. Is that correct?
>
> Dave Wierbowski
> z/OS Comm Server Developer
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec