[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs

To: dharkins@cisco.com (Daniel Harkins)
Subject: Re: use of client IDs
From: Pyda Srisuresh <suresh@livingston.com>
Date: Fri, 19 Jun 1998 15:35:06 -0700 (PDT)
Cc: suresh@livingston.com, BGleeson@shastanets.com, skelly@redcreek.com, ipsec@tis.com
In-Reply-To: <199806192114.OAA15348@dharkins-ss20.cisco.com> from "Daniel Harkins" at Jun 19, 98 02:14:13 pm
Sender: owner-ipsec@ex.tis.com

> 
> On Fri, 19 Jun 1998 12:13:33 PDT you wrote
> [snip]
> > > It already allows TCP/UDP port info and subnets and ranges. No, it can't 
> > > express multiple disjoint subnets as a single entity. You need as many SAs 
> > > as you have subnets in that case. This limitation (and also the inability
> > > to express the "everything except..." construct) is acknowledged.
> > > 
> > 
> > Thanks for the clarification. How does it allow TCP/UDP port info? Can you
> > point me to a section that describes this. Thanks.
> 
> It's in section 4.6.2 of the DOI.
> 

Thanks. I missed that...

While we are on the subject of IDs, here is an issue with ID payload 
format:
     
Say, the negotiator (IKEi) and its client VPN (GWi) are 2 different nodes. 
The negotiator (IKEi) initiates a quick mode exchange. Say, the ID type 
used was a range of addresses (i.e., end nodes supported by GWi).  
How can the gateway on the responder side know the address of its peer 
gateway node (GWi), using this ID payload? You need the peer's address
to have a unique SA identification.  Note, the address used by IKEi cannot 
be assumed to be the address of the client (GWi) it is negotiating for.

cheers,
suresh

References:

Re: use of client IDs

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: use of client IDs
Next by Date: RE: use of client IDs
Prev by thread: Re: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread