[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    RE: [Ipsec] questions about OCSP in IKEv2(2)
From:       Charlie Kaufman <charliek () exchange ! microsoft ! com>
Date:       2006-03-31 6:56:54
Message-ID: F0B4EE8E56F9DD4B80419C6D82521397029C6681 () df-foxhound-msg ! exchange ! corp ! microsoft ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

> Then here is my question,
> (1)what is the meaning of "in-band" and "out-of-band" in IKE exchange? >Give some \
> examples?

IKEv2 allows some potentially large data items (like certificates and CRLs) to be \
sent "out of band". This means that in the IKEv2 exchange, instead of including the \
large data items the IKEv2 message carries a cryptographic hash of the data and a URL \
from which the data can be fetched. Retrieving these URLs can run over a different \
protocol (usually http) that runs over TCP and can therefore better cope with large \
data items.


> (2)Does OOB needs to use IPsec/IKE to access to CRLs? Then how does it >cause \
> network access deadlock?

In some configurations, the only way an endpoint can retrieve the URL named in the \
IKEv2 exchange is by tunneling the request over the IPsec connection being \
established. For example, if my laptop is creating an IPsec tunnel to my corporate \
intranet and the CRL is only available on the corporate intranet, then I cannot \
retrieve the CRL until I have completed the IKEv2 exchange. If I refused to complete \
the creation of the IPsec tunnel until I had verified the CRL, this would create a \
deadlock.

This can in practice be avoided by software that conditionally opens the IPsec tunnel \
before verifying the CRL. It can then retrieve the CRL over the IPsec tunnel, verify \
it, and then open the IPsec tunnel for other uses.

Unfortunately, while simple to describe it can be difficult to implement depending on \
how the software on the endpoint is structured.

> (3)What do OCSP Responder Hash and OCSP Response on earth present for?

I don't know. Perhaps someone else on this list can help with this one.

        --Charlie Kaufman

-----Original Message-----
From: 杜春燕(DU Chun-yan) [mailto:210313041@suda.edu.cn]
Sent: Thursday, March 30, 2006 5:59 PM
To: ipsec@ietf.org
Subject: [Ipsec] questions about OCSP in IKEv2(2)

Hello,all!
      According to section 1 of OCSP Extensions to \
IKEv2(draft-myers-ikev2-ocsp-01.txt):  "CRLs can however grow unbounded in size. \
Many real-world examples exist to demonstrate the impracticality of including a \
multi-megabyte file in an IKE exchange. This constraint is particularly acute in \
bandwidth limited environments (e.g. mobile communications). The net effect is \
exclusion of in-band CRLs in favor of out-of-band (OOB) acquisition of these data, \
should they even be used at all.  Reliance on OOB methods can be further complicated \
if access to revocation data requires use of IPsec (and therefore IKE) to establish \
secure and authorized access to the CRLs of an IKE participant. Such network access \
deadlock further contributes to a reduced reliance on certificate revocation status \
in favor of blind trust."

 Then here is my question,
 (1)what is the meaning of "in-band" and "out-of-band" in IKE exchange? Give some \
examples?  (2)Does OOB needs to use IPsec/IKE to access to CRLs? Then how does it \
cause network access deadlock?  (3)What do OCSP Responder Hash and OCSP Response on \
earth present for?  I think OCSP Responder Hash is used for the sender to notify the \
receiver which OCSP Responder it trusts, just like the function of Certificate \
Authority in CERTREQ payload. It is the receiver's duty to form an OCSP request to \
the OCSP Responder. After getting the OCSP response, the receiver has to form and \
transmit OCSP Response CERT payload. According to the OCSP Response CERT, the other \
peer may abort the IKEv2 exchange if it indicates the certificate is revoked or OCSP \
error. Is it true?  If this is the case, then I confused that why the receiver still \
sends the certificate in CERT and OCSP Responder CERT now that the OCSP response CERT \
indicates that certificate is revoked or OCSP error, should it abort the exchange at \
once? Moreover,should it be better for the sender of OCSP Responder Hash checks for \
the certificate status?

  Thank you for ahead!


Regards,

         DU Chun-yan
        210313041@suda.edu.cn
          2006-03-31



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic