[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple Phase 1 Channels between hosts?
Hi,
Is anyone supporting multiple phase 1 channels between the same two hosts
when Main mode is used in the phase 1 negotiations? I ask this for two
reasons:
1> Is there is a real need for a user to be able to specify that
particular phase 1 security parameters protect particular phase 2 SA
negotiations?
2> If 1> is true then it seems to me that when Main mode is used, the
responder is going to have a hard time determining the correct Phase 1
security policy to use in phase 1 negotiations and also that a particular
Phase 2 negotiation was protected by the "correct" Phase 1 SA as specified
by local security policy.
The following diagram shows different Phase 1 channels protecting different
Phase 2 SA negotiations (for different client ID pairs).
Host Host
A B
--- ---
| |
|______________Phase 1 using DES, HMD5___________________|
| | | |
| |___________Phase 2 using AH HMD5____________| |
| (authenticate DNS) |
| |
| |
|______________Phase 1 using 3DES, SHA___________________|
| |
|___________Phase 2 using AH+ESP ____________|
(auth/encrypt email)
--
Will Fiveash
IBM AIX System Development Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551 Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904