[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mutiple phase 1 tunnel and proxy ID issues

To: <bkavsan@ire-ma.com>
Subject: Re: mutiple phase 1 tunnel and proxy ID issues
From: Cliff Wang <cxwang@us.ibm.com>
Date: Tue, 26 May 1998 18:15:34 -0400
Cc: <rpereira@TimeStep.com>, <kent@bbn.com>, <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

If FQDN or DN is used to negotiate Phase 2 tunnel, the FQDN or DN
needs to be translated to ID address so that SPD entry can be
created for packets processing. This ID->IP address translation
can be done through DNS lookup. But for a mobile user whose
address is dynamically given, DNS lookup is probably not
going to work. So some mechanism is needed to notify
the remote gateway of this address mapping so that a new SPD
entry can be created on that remote gateway.

Cliff



bkavsan@ire-ma.com on 05/26/98 05:55:03 PM
Please respond to bkavsan@ire-ma.com
To: rpereira@TimeStep.com
cc: ipsec@tis.com, kent@bbn.com, Cliff Wang/Raleigh/IBM@ibmus
Subject: Re: mutiple phase 1 tunnel and proxy ID issues


Why mobil user has to send ID (IP address or anything else) in Phase 2?
Isn't it already unquely identified (and policy-matched) by the gateway in
Phase 1 by its e-mail, FQDN or DN?

Roy Pereira wrote:

> For a mobile client, its phase 1 ID will be something like an email
> address since its IP address is not static.  For its phase 2 ID though,
> it will need to send an IP address.  This IP address is its dynamically
> assigned IP address that it recieved through PPP, DHCP, ISAKMP-CFG or
> any other means.  The trick is that the gateway must be able to remember
> the phase 1 ID to get policy for the phase 2 negotiation.
>
> Although, not in any internet draft, I really don't believe that all ID
> types are valid for phase 1 and phase 2.  Phase 1, for instance, doesn't
> really support subnets and ranges.  While phase 2 doesn't really support
> email, DN & GN.
>
> > I totally agree what you have replied in the mail.  Actually
> > my question is that if user name instead of IP address is
> > used in the ID payload of phase 2 negotiation, even if
> >  a Phase 2 SA is negotiated successfully, we cannot
> > create a SPD entry since user ID cannot be used to
> > process packet. We need to turn that ID into address
> > in order to create a SPD entry. But I am not sure how
> > to map that ID into an IP address. This is a practical case
> > when two mobile user logs into two different ISP box,
> > get a dynamic address and they want to have their
> > data traffic protected. The ISP boxes's policy can only be
> > configured with the mobile user's ID, since their
> > address are dynamically assigned. The ISP boxes
> > can negotiate a Phase 2 SA with ID, but then they
> > somehow need to exchange user ID to IP address
> > mapping to each other. Otherwise SPD entry can not be
> > created.



--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com

Follow-Ups:

Re: mutiple phase 1 tunnel and proxy ID issues

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: mutiple phase 1 tunnel and proxy ID issues
Next by Date: Re: Life and death of IKE SAs and IPSEC SAs
Prev by thread: Re: mutiple phase 1 tunnel and proxy ID issues
Next by thread: Re: mutiple phase 1 tunnel and proxy ID issues
Index(es):
- Main
- Thread