IETF Logo Mail Archive

Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names

"Michael C. Richardson" <mcr@sandelman.ottawa.on.ca> Sun, 13 September 1998 04:50 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id AAA02274 for ipsec-outgoing; Sun, 13 Sep 1998 00:50:03 -0400 (EDT)
Message-Id: <199809130507.BAA04059@istari.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: comments on draft-ietf-ipsec-pki-req-01.txt - alternate names
In-reply-to: Your message of "Fri, 11 Sep 1998 12:37:26 EDT." <199809111637.MAA11444@rubicon.rv.tis.com>
Date: Sun, 13 Sep 1998 01:06:59 -0400
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

>>>>> "Dave" == Dave Mason <dmason@tis.com> writes:
    Dave> If it's marked as a non-mobile certificate in the policy database, the
    Dave> database would restrict the ip addresses allowed for the remote
  
  If it's not a mobile node, then your local policy database will have a
clear end-point for the router. So, even if they steal the router, drop
in in somewhere with a different IP address, the SA's that would be
allowed to be negotiated would be for the original location.
  The names in the certificate are *not* policy information. They are
keys to policy information. If you use the stuff *as* policy information,
then you are going to get hosed. Use KeyNote or something instead if you
want scaling beyond your local config file.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 
	ON HUMILITY: To err is human, to moo bovine.

v2.37.1 | Report a Bug | By Email | System Status