[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs

To: Pyda Srisuresh <suresh@livingston.com>
Subject: Re: use of client IDs
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Thu, 18 Jun 1998 17:55:35 -0700
CC: BGleeson@shastanets.com, ipsec@tis.com
Organization: RedCreek Communications
References: <199806190009.RAA25021@server.livingston.com>
Sender: owner-ipsec@ex.tis.com

Pyda Srisuresh wrote:
<trimmed...>
> > Policy is a local matter. Gateways with differing policies may or may
> > not communicate, depending upon the intersection of their policy sets.
> >
> 
> Well, not really.
> 
> A VPN node has to use policies to determine which SA to send a packet out
> on. When a packet is received on an SA (say, SAin), it will detunnel the
> packet and send to the appropriate target host. When a response comes back
> from the target host, the VPN node has to figure out which of the many SAs
> to use for sending the packet back to peer-VPN node (There may be multiple
> SAs between the same peering nodes). If there is no policy mismatch between
> the peering nodes, this would be no problem in selecting the right SA.
> Otherwise, there is a potential for you to send the packets on the wrong
> SA.

You missed the point: if their policies don't intersect, *there won't be
a SA*.

> I believe, the intent of exchanging policies is so that a VPN node could
> use the policy to correctly determine which SA to use on the way out.

Policies are not exchanged, at least not in the current implementations,
as far as I know. Proposals which result from policy are exchanged.

Follow-Ups:

Re: use of client IDs

From: Pyda Srisuresh <suresh@livingston.com>

References:

Re: use of client IDs

From: Pyda Srisuresh <suresh@livingston.com>

Prev by Date: Re: use of client IDs
Next by Date: RE: use of client IDs
Prev by thread: Re: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread