[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs



<... snip>
> 
> > Well, there are many cases where an SPD selector could differ from an
> > SAD selector.
> 
> Bingo - this is correct (and I missed it in my previous response), but I
> don't think you fleshed it out properly below. It's when the SPD
> selector is *not an address*, i.e. if it's a FQDN, or DN, or some
> certificate field, then that selector (the one which matched the SPD
> entry) won't be in subsequent packets, and hence cannot be used to
> select the correct SAD entry. 
> 
> Additional issues arise when the SPD selectors are address wildcards,
> which also can't be used to select the SAD entry due to the possibility
> of unintended collisions with earlier more precise SPD entries. One way
> to clarify this distinction for purposes of discussion is to
> differentiate between SPD selectors (which might be things other than
> addresses, protocols, etc), and packet selectors (SAD selectors), which
> are *always* addresses, protocols, and SPIs.
> 
> >  If the selection criteria is set to be based on packet
> > (as opposed to policy), every new packet matching the same policy but
> > differing in one regard(say, IP address or TCP/UDP port) would require
> > a new SA.
> > 
> > In the case where selection criteria is set to be based on policy,
> > the SA selection would match the selection of an SP. It is also
> > possible for an SA to match multiple policies.
> > 
> 
> Again, your terminology confuses me. When you say 'the selection
> criteria is set to be based on packet (as opposed to policy)', what do
> you mean?
> 

My terminology is based on the IP architecture draft,
<draft-ietf-ipsec-arch-sec-05.txt>, section 4.4.1, pg 17 below.


   For example, suppose there is an SPD entry where the allowed value
   for source address is any of a range of hosts (192.168.2.1 to
   192.168.2.10).  And suppose that a packet is to be sent that has a
   source address of 192.168.2.3.  The value to be used for the SA could
   be any of the sample values below depending on what the policy entry
   for this selector says is the source of the selector value:

           source for the  example of
           value to be     new SAD
           used in the SA  selector value
           --------------- ------------
           a. packet       192.168.2.3 (one host)
           b. SPD entry    192.168.2.1 to 192.168.2.10 (range of hosts)




Follow-Ups: References: