[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Quick Mode client IDs
>>>>> "Shawn" == Shawn Mamros <smamros@BayNetworks.COM> writes:
Shawn> One issue which has been raised here at the IPSec
Shawn> interoperability workshop is the usage of client IDs in IKE
Shawn> Quick Mode, and what should be assumed if they are not
Shawn> specified. To help resolve this, we have come up with some
Shawn> (hopefully) clarifying text, which is proposed to replace the
Shawn> current fourth paragraph of section 5.5 of the IKE draft
Shawn> (draft-ietf-ipsec-isakmp-oakley-06.txt):
Shawn> The identities of the SAs negotiated in Quick Mode are
Shawn> implicitly assumed to be the IP addresses of the ISAKMP peers,
Shawn> without any implied constraints on the protocol or port
Shawn> numbers allowed, unless client identifiers are specified in
Shawn> Quick Mode. If ISAKMP is acting as a client negotiator on
Shawn> behalf of another party, the identities of the parties MUST be
Shawn> passed as IDci and then IDcr. Local policy will dictate
Shawn> whether the proposals are acceptable for the identities
Shawn> specified. If the client identities are not acceptable to the
Shawn> Quick Mode responder (due to policy or other reasons), a
Shawn> Notify payload with Notify Message Type INVALID-ID-INFORMATION
Shawn> (18), followed by an acceptable pair of client identifiers, in
Shawn> two ID payloads (IDci followed by IDcr) SHOULD be sent.
That sounds right -- except that I'm not sure about the last sentence.
Suppose I have an ISAKMP SA identified by my IP address, and policy
says that IPSEC SAs must be identified with usernames.
How would I construct "an acceptable pair of client identifiers"? And
what is the intended interpretation of that information?
I suppose I could send back a pair of names like "foo@bar.com" which
the other end is expected to interpret as "send me something that
looks like this pattern". Is that the intent?
paul
Follow-Ups:
References: