Re: mutiple phase 1 tunnel and proxy ID issues

[Stephen Kent <kent@bbn.com>]

Cliff,

I'll address this last issue, and leave the former 2 to the IKE experts.

>3)Phase 2 Proxy ID
>For Phase 2 negotiation, the ID payload can be of
>type "fully qualified user name string", such as
>piper@foo.com. Even we can negotiated the phase 2
>SA successfully, the negotiated SA can not be used
>to protect packets until the user name is turned into
>some IP address(host, range, subnet). How do we
>solve this user name to IP address mapping? Assuming
>the user is mobile, this mapping can be quite dynamic.

When an SA is established and a name form other than an IP addres is used
to authenticate the peer, it will be necessary to create a dynamic SPD
entry (as well as the usual SAD entry) that specifies the
(dynamically-assigned) address of the peer.  For inbound traffic, the SAD
entry (selected by the SPI/dest addr/protocol triple) is used to perform
the necessary selector checks after IPsec primary processing.  For outbound
traffic, the newly created SPD entry is used to vector traffic to the right
SA (SAD entry).  There needs to be a housekeeping function to remove the
SAD entry afterwards, but there does not seem to be a security problem if
the same dynamic address is assigned to a new peer, since the keying
material would be different and the SA establishment procedure should
detect the SPD reuse.

Steve

---

References:

• mutiple phase 1 tunnel and proxy ID issues
• From: Cliff Wang <cxwang@us.ibm.com>

---

• Prev by Date: mutiple phase 1 tunnel and proxy ID issues
• Next by Date: Re: mutiple phase 1 tunnel and proxy ID issues
• Prev by thread: mutiple phase 1 tunnel and proxy ID issues
• Next by thread: Re: mutiple phase 1 tunnel and proxy ID issues
• Index(es):
  • Main
  • Thread