[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
More Proxy ID questions
I've been watching the discussion about Phase II Proxy IDs with interest
and have a couple of questions regarding the processing of these IDs. As a
preface to my questions, my understanding of the uses of Proxy IDs is 1; to
specify the selector(s) that the Initiator and Responder will use to
associate particular IP packets to the tunnel utilizing the SA(s)
negotiated in Phase II. And 2; to determine the appropriate Security
Policy for use in negotiation.
What does it mean when the Initiator sends a IDui, IDur and the Responder
doesn't send any IDs? Does this imply that the Responder will be using the
vaules in the ID payloads sent by the Initiator as selectors for that
particular SA?
What should happen when the Initiator sends a IDui, IDur and the Responder
sends IDui, IDur that differ from the Initiator's IDs? Is this an error?
Also, in our implementation, if the selector IP addresses are different
from the IP addresses associated with the Phase II (IPSec) SA then tunnel
mode must be used so that the system that receives a IPSec packet can
locate the correct SA. If this is universally true across the various
implementations then shouldn't the draft-ietf-ipsec-isakmp-oakley specify
that the Encapsulation Mode MUST be tunnel? My concern is that if this
isn't specified this could be a source of numerous tunnel configuration
errors.
--
Will Fiveash
IBM AIX System Development Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551 VNET: FIVEASH AT AUSTIN
Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904