[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: use of client IDs

To: Pyda Srisuresh <suresh@livingston.com>, Bryan Gleeson <BGleeson@shastanets.com>
Subject: RE: use of client IDs
From: Bryan Gleeson <BGleeson@shastanets.com>
Date: Tue, 23 Jun 1998 17:00:54 -0700
Cc: Bryan Gleeson <BGleeson@shastanets.com>, dharkins@cisco.com, skelly@redcreek.com, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Pyda,

>     1. In a quick mode, SA proposals and optional ID/policy payload 
>        are exchanged in one swoop. So, there is no question of trust 
>        relationship being established ahead of policy exchange. 

What I had in mind was the ISAKMP SA establishment that must occur
before the IPSEC SA establishment, thus the remote negotiating peer
has already been successfully authenticated before the Quick Mode
exchange starts.
        
>     2. Next, the issue of policy direction.
>     
>        During SA negotiation, IKE client for A sends proposals to B.
>        The SA that is represented by these proposals are for inbound 
>        data packets to A.
> 
>        Shouldnt the policy that accompanies SA also be in the same
>        direction as the SA? I.e., I believ, the policy 
> description sent 
>        by A should in fact be applicable for the inbound packets to A.
>        (and, not the outbound as your message above seems to imply).

Hmm.. I had read it such that the {IDci, IDcr} pair identified the 
traffic that A was going to send on the SA, and that B used this to 
key into its SPD in order to verify that it had a matching policy, 
so I thought it applied to the outbound traffic at A.   

Bryan

Follow-Ups:

Re: use of client IDs

From: Pyda Srisuresh <suresh@livingston.com>

Prev by Date: KEA and SKIPJACK declassified
Next by Date: Re: use of client IDs
Prev by thread: RE: use of client IDs
Next by thread: Re: use of client IDs
Index(es):
- Main
- Thread