Quick Mode client IDs

[Shawn Mamros <smamros@BayNetworks.COM>]

One issue which has been raised here at the IPSec interoperability workshop
is the usage of client IDs in IKE Quick Mode, and what should be assumed
if they are not specified.  To help resolve this, we have come up with some
(hopefully) clarifying text, which is proposed to replace the current fourth
paragraph of section 5.5 of the IKE draft
(draft-ietf-ipsec-isakmp-oakley-06.txt):

  The identities of the SAs negotiated in Quick Mode are implicitly assumed
  to be the IP addresses of the ISAKMP peers, without any implied constraints
  on the protocol or port numbers allowed, unless client identifiers are
  specified in Quick Mode.  If ISAKMP is acting as a client negotiator on
  behalf of another party, the identities of the parties MUST be passed as
  IDci and then IDcr.  Local policy will dictate whether the proposals are
  acceptable for the identities specified.  If the client identities are not
  acceptable to the Quick Mode responder (due to policy or other reasons), a
  Notify payload with Notify Message Type INVALID-ID-INFORMATION (18),
  followed by an acceptable pair of client identifiers, in two ID payloads
  (IDci followed by IDcr) SHOULD be sent.

Questions and comments welcome...

-Shawn Mamros
E-mail to: smamros@BayNetworks.com

---

Follow-Ups:

• Re: Quick Mode client IDs
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: IPSEC tunnels and Mobile IP
• Next by Date: CFP - Special Issue - Multimedia Collaborative Environments -
• Prev by thread: Re: Proxy Key Exchange
• Next by thread: Re: Quick Mode client IDs
• Index(es):
  • Main
  • Thread