[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SA negotiation

To: "'ipsec@tis.com'" <ipsec@tis.com>
Subject: SA negotiation
From: Doug Scherbath <dscherbath@ire.com>
Date: Tue, 1 Jul 1997 11:26:48 -0400

4.0.995.52
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk

>>Hi Jim,
>>	>>
>>	>>Now, when site B receives the message, it consults its policies and
>>	>>determines what SAs are acceptable to it.  It finds that both P1 and P2
>>	>>are acceptable, but that P2 is preferred over P1.  Knowing that site A
>>	>>prefers P1, which should site B choose to respond with?
>>	>>
>>
>>I have written an implementation of a policy data base/server. When
resolving a list of proposals, the preferences of the
>>initiator are honored. So in the above example,  ISAKMP  would  use P1.
>>
>>Mary

I disagree, if the Initiator makes more than one proposal, he is
relinquishing control.  If the proposer wants P1, he should only offer
P1.  If he will accept either then he must be prepared to have the
responder choose.

Another question on the subject:  Key life duration... if the initiator
proposal is identical to a responder policy except the key life
associated with the entry is different eg. initiator proposes P1 (key
life 100 seconds) and responder has a policy entry with key life of 150
seconds.  I think even though the entries don't match, the responder
should respond with 100 seconds (the more restrictive)  Comments?

Prev by Date: Re: ISAKMP SA negotiation
Next by Date: Re: ISAKMP SA negotiation
Prev by thread: RE: ISAKMP SA negotiation
Next by thread: RE: SA negotiation
Index(es):
- Main
- Thread