[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick Mode client IDs



>>>>> "Shawn" == Shawn Mamros <smamros@BayNetworks.COM> writes:

 Shawn> One issue which has been raised here at the IPSec
 Shawn> interoperability workshop is the usage of client IDs in IKE
 Shawn> Quick Mode, and what should be assumed if they are not
 Shawn> specified.  To help resolve this, we have come up with some
 Shawn> (hopefully) clarifying text, which is proposed to replace the
 Shawn> current fourth paragraph of section 5.5 of the IKE draft
 Shawn> (draft-ietf-ipsec-isakmp-oakley-06.txt):

 Shawn> The identities of the SAs negotiated in Quick Mode are
 Shawn> implicitly assumed to be the IP addresses of the ISAKMP peers,
 Shawn> without any implied constraints on the protocol or port
 Shawn> numbers allowed, unless client identifiers are specified in
 Shawn> Quick Mode.  If ISAKMP is acting as a client negotiator on
 Shawn> behalf of another party, the identities of the parties MUST be
 Shawn> passed as IDci and then IDcr.  Local policy will dictate
 Shawn> whether the proposals are acceptable for the identities
 Shawn> specified.  If the client identities are not acceptable to the
 Shawn> Quick Mode responder (due to policy or other reasons), a
 Shawn> Notify payload with Notify Message Type INVALID-ID-INFORMATION
 Shawn> (18), followed by an acceptable pair of client identifiers, in
 Shawn> two ID payloads (IDci followed by IDcr) SHOULD be sent.

That sounds right -- except that I'm not sure about the last sentence.

Suppose I have an ISAKMP SA identified by my IP address, and policy
says that IPSEC SAs must be identified with usernames.

How would I construct "an acceptable pair of client identifiers"?  And 
what is the intended interpretation of that information?

I suppose I could send back a pair of names like "foo@bar.com" which
the other end is expected to interpret as "send me something that
looks like this pattern".  Is that the intent?

	paul


Follow-Ups: References: