[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mutiple phase 1 tunnel and proxy ID issues

To: Roy Pereira <rpereira@TimeStep.com>
Subject: Re: mutiple phase 1 tunnel and proxy ID issues
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Tue, 26 May 1998 17:57:41 -0400
CC: Cliff Wang <cxwang@us.ibm.com>, kent@bbn.com, ipsec@tis.com
References: <319A1C5F94C8D11192DE00805FBBADDF124101@exchange.timestep.com>
Sender: owner-ipsec@ex.tis.com

Why mobil user has to send ID (IP address or anything else) in Phase 2?
Isn't it already unquely identified (and policy-matched) by the gateway in
Phase 1 by its e-mail, FQDN or DN?

Roy Pereira wrote:

> For a mobile client, its phase 1 ID will be something like an email
> address since its IP address is not static.  For its phase 2 ID though,
> it will need to send an IP address.  This IP address is its dynamically
> assigned IP address that it recieved through PPP, DHCP, ISAKMP-CFG or
> any other means.  The trick is that the gateway must be able to remember
> the phase 1 ID to get policy for the phase 2 negotiation.
>
> Although, not in any internet draft, I really don't believe that all ID
> types are valid for phase 1 and phase 2.  Phase 1, for instance, doesn't
> really support subnets and ranges.  While phase 2 doesn't really support
> email, DN & GN.
>
> > I totally agree what you have replied in the mail.  Actually
> > my question is that if user name instead of IP address is
> > used in the ID payload of phase 2 negotiation, even if
> >  a Phase 2 SA is negotiated successfully, we cannot
> > create a SPD entry since user ID cannot be used to
> > process packet. We need to turn that ID into address
> > in order to create a SPD entry. But I am not sure how
> > to map that ID into an IP address. This is a practical case
> > when two mobile user logs into two different ISP box,
> > get a dynamic address and they want to have their
> > data traffic protected. The ISP boxes's policy can only be
> > configured with the mobile user's ID, since their
> > address are dynamically assigned. The ISP boxes
> > can negotiate a Phase 2 SA with ID, but then they
> > somehow need to exchange user ID to IP address
> > mapping to each other. Otherwise SPD entry can not be
> > created.



--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com

References:

RE: mutiple phase 1 tunnel and proxy ID issues

From: Roy Pereira <rpereira@TimeStep.com>

Prev by Date: RE: mutiple phase 1 tunnel and proxy ID issues
Next by Date: Re: mutiple phase 1 tunnel and proxy ID issues
Prev by thread: RE: mutiple phase 1 tunnel and proxy ID issues
Next by thread: Re: mutiple phase 1 tunnel and proxy ID issues
Index(es):
- Main
- Thread