[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: use of client IDs

To: Chris Boscolo <chrisb@watchguard.com>, ipsec@tis.com
Subject: RE: use of client IDs
From: Bryan Gleeson <BGleeson@shastanets.com>
Date: Mon, 22 Jun 1998 20:26:52 -0700
Sender: owner-ipsec@ex.tis.com

Chris,

> In the mean time, for the ID, why not use as many of the selector
> values as are needed to match your local policy for which you are
> trying to build an SA.  Of course this implies the policies are
> similar on both sides.  This way, the responder of the IKE negotiation
> would use the ID to do a policy lookup.  The SA negotiated would be
> used for that policy.
> 
> One outcome of this approach is that address ranges and subnets  as
> IDs would lead to ambiguous policy to ID mappings.  But, if you ask
> me, ranges and subnets seem an attempt to accomplish partial policy
> negotiation anyway.

Yes, and I think a general purpose policy exchange protocol, which is 
capable of representing the set of IP packets that will be transmitted 
onto an SA, is a difficult problem to solve. Because an SPD is an 
ordered list of selectors, you need to able to represent "the set
of packets selected by entry 10, except for those selected by entries
1 to 9".  

Bryan

Follow-Ups:

RE: use of client IDs

From: Chris Boscolo <chrisb@watchguard.com>

Prev by Date: RE: use of client IDs
Next by Date: isakmp notify MID values
Prev by thread: Re: use of client IDs
Next by thread: RE: use of client IDs
Index(es):
- Main
- Thread