[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More Proxy ID questions

To: will@austin.ibm.com
Subject: Re: More Proxy ID questions
From: "Eric L. Wong" <ewong@zk3.dec.com>
Date: Thu, 20 Nov 1997 17:08:21 -0500
Cc: ipsec@ex.tis.com
Sender: owner-ipsec@ex.tis.com

I have similar concerns and wonder if you have received any 
    responses that you can share.

> I've been watching the discussion about Phase II Proxy IDs with interest
> and have a couple of questions regarding the processing of these IDs.  As a
> preface to my questions, my understanding of the uses of Proxy IDs is 1; to
> specify the selector(s) that the Initiator and Responder will use to
> associate particular IP packets to the tunnel utilizing the SA(s)
> negotiated in Phase II.  And 2; to determine the appropriate Security
> Policy for use in negotiation.
> 
> What does it mean when the Initiator sends a IDui, IDur and the Responder
> doesn't send any IDs?  Does this imply that the Responder will be using the
> vaules in the ID payloads sent by the Initiator as selectors for that
> particular SA?
> 
    My guess is the other end has accepted the IDs and will
    be using them.

> What should happen when the Initiator sends a IDui, IDur and the Responder
> sends IDui, IDur that differ from the Initiator's IDs?  Is this an error?
> 
    Also, can IDui be differ from IDur?  
    E.g. IDui (ID_USER_FQDN) - userA@test.com and 
         UDur (ID_FQDN) - hostB.test.com

> Also, in our implementation, if the selector IP addresses are different
> from the IP addresses associated with the Phase II (IPSec) SA then tunnel
> mode must be used so that the system that receives a IPSec packet can
> locate the correct SA.

    You mean when IDui/IDur is of ID_IPVx_ADDR type and is differ 
    from the isakmp host address, then setup tunnel mode SA.
  
> If this is universally true across the various
> implementations then shouldn't the draft-ietf-ipsec-isakmp-oakley specify
> that the Encapsulation Mode MUST be tunnel?  My concern is that if this
> isn't specified this could be a source of numerous tunnel configuration
> errors.
> 
> -- 
> Will Fiveash    
> IBM AIX System Development        Internet: will@austin.ibm.com
> 11400 Burnet Road, Bld.905/9551   VNET:     FIVEASH AT AUSTIN
> Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904

Prev by Date: Pencils up
Next by Date: RE: modifications in draft-ietf-ippcp-protocol-02.txt
Prev by thread: Pencils up
Next by thread: IPsec AH and ESP specs
Index(es):
- Main
- Thread