Hi While working on some text for the AD-VPN document, I came across some weirdness in the base IKEv2 specification:
The IDi and IDr payloads have any of several types: ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, ID_IPV6_ADDR, ID_DER_ASN1_DN, ID_DER_ASN1_GN, and ID_KEY_ID. Section 4 (conformance requirements) says that implementations MUST support "certificates containing and signed by RSA keys of size 1024 or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN, ID_RFC822_ADDR, or ID_DER_ASN1_DN.". Section 2.15 (authentication of the IKE SA has the following paragraph: Optionally, messages 3 and 4 MAY include a certificate, or certificate chain providing evidence that the key used to compute a digital signature belongs to the name in the ID payload. What I could not find anywhere in the RFC is how to match name in the ID payload to the certificate. In HTTPS we have a requirement that either the CN or the dNSName alternate name match the domain name in the URL. We don't have similar rules for IKE, do we? Of course, looking at RFC 5280, we have all sorts of alternate names that look suspiciously useful: otherName, rfc822Name, dNSName, directoryName, iPAddress. But it is not immediately obvious: 1. Is it enough for the ID payload to match the alternate name? 2. Is it enough for an ID_FQDN to match the CommonName of a certificate subject? 3. Is it enough for an ID_DER_ASN1_DN to match the certificate subject? 4. Is it enough if the ID_IPV*_ADDR matches the source IP of the IKE packet? I've looked in RFC 4301 and found this in section 4.4.3.2: This document does not require that the IKE ID asserted by a peer be syntactically related to a specific field in an end entity certificate that is employed to authenticate the identity of that peer. However, it often will be appropriate to impose such a requirement, e.g., when a single entry represents a set of peers each of whom may have a distinct SPD entry. The reason this came up in the context of AD-VPN, is that unlike "static" VPN, in AD-VPN the PAD is populated dynamically, so while we can manually configure a static VPN implementation that to assert identity "foo", a peer must present a certificate with value "baz" and field "bar", we'd need to either copy that rule to other peers in AD-VPN (regardless of which solution, btw), or we'd need a good rule. So do you think it would be appropriate to mandate these matching rules in rfc5996bis, or should this be left to AD-VPN solutions. IOW, is such a standard rule needed for generic IKE/IPsec? Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
