IKE Authentication and Identification
IKE phase 1 modes
- MUST: Aggressive mode and Main mode
Authentication methods
- SHOULD: Pre-shared keys with Aggressive Mode
- AM enables hosts with dynamically assigned IP addresses to have per-endpoint pre-shared keys
- SHOULD NOT: Pre-shared keys with Main Mode
- MM only permits group pre-shared keys when host addresses are dynamically assigned
- MAY: Certificates with Main Mode or Aggressive Mode
Identification mechanisms
- MUST: IP Address payload (ID_IPV4_ADDR, ID_IPv6_ADDR)
- How do we use this with pre-shared keys where addresses are dynamically assigned?
- MUST NOT: Subnets and Ranges (IP_IV4_ADDR_SUBNET, ID_IPV6_ADDR_SUBNET, ID_IPV4_ADDR_RANGE, ID_IPV6_ADDR_RANGE)
- Not mentioned: ID_FQDN, ID_USER_FQDN, ID_DER_ASN1_DN, ID_DER_ASN1_GN
- May need to revisit this