[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Quick Mode client IDs
One issue which has been raised here at the IPSec interoperability workshop
is the usage of client IDs in IKE Quick Mode, and what should be assumed
if they are not specified. To help resolve this, we have come up with some
(hopefully) clarifying text, which is proposed to replace the current fourth
paragraph of section 5.5 of the IKE draft
(draft-ietf-ipsec-isakmp-oakley-06.txt):
The identities of the SAs negotiated in Quick Mode are implicitly assumed
to be the IP addresses of the ISAKMP peers, without any implied constraints
on the protocol or port numbers allowed, unless client identifiers are
specified in Quick Mode. If ISAKMP is acting as a client negotiator on
behalf of another party, the identities of the parties MUST be passed as
IDci and then IDcr. Local policy will dictate whether the proposals are
acceptable for the identities specified. If the client identities are not
acceptable to the Quick Mode responder (due to policy or other reasons), a
Notify payload with Notify Message Type INVALID-ID-INFORMATION (18),
followed by an acceptable pair of client identifiers, in two ID payloads
(IDci followed by IDcr) SHOULD be sent.
Questions and comments welcome...
-Shawn Mamros
E-mail to: smamros@BayNetworks.com
Follow-Ups: