[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP SA negotiation
> Mary,
>
> >>Now, when site B receives the message, it consults its policies and
> >>determines what SAs are acceptable to it. It finds that both P1 and P2
> >>are acceptable, but that P2 is preferred over P1. Knowing that site A
> >>prefers P1, which should site B choose to respond with?
> >>
> >
> > I have written an implementation of a policy data base/server. When
> > resolving a list of proposals, the preferences of the
> > initiator are honored. So in the above example, ISAKMP would use P1.
>
> That might be what you'd do but my implmementation chooses P2. In the
> example, B has his own policy priority settings; he wants P2 over P1.
> In fact, if A offered P1, P2, P3, P4 and B wanted P4, P2, P1, P3, B
> would select P4. I never let someone else override my local policy. It
> was set like that for a reason.
>
> Dan.
The above begs the question of who we believe the owner of the SA
is and why they should be considered as the owner.
Scenario:
An initiators policy may require the initiator to dictate the
confidentiality and integrity services applied to its messages -
therefore the initiator should have its prioritisation respected.
On the other hand the responder may want to dictate the
authentication service on the message it will receive from the
initiator then its policy dictates the it honours its prioritisation
list.
Since both initiator and responder policies agree that both SA's are
acceptable do we have a problem ?
Elfed
****************************************************
Elfed T. Weaver
Defence Evaluation & Research Agency
Malvern
UK
weaver@hydra.dra.hmg.gb
****************************************************
Follow-Ups: