Re: use of client IDs

[Pyda Srisuresh <suresh@livingston.com>]

> 
> Pyda,
> 
> >     1. In a quick mode, SA proposals and optional ID/policy payload 
> >        are exchanged in one swoop. So, there is no question of trust 
> >        relationship being established ahead of policy exchange. 
> 
> What I had in mind was the ISAKMP SA establishment that must occur
> before the IPSEC SA establishment, thus the remote negotiating peer
> has already been successfully authenticated before the Quick Mode
> exchange starts.
>         

I understand.

> >     2. Next, the issue of policy direction.
> >     
> >        During SA negotiation, IKE client for A sends proposals to B.
> >        The SA that is represented by these proposals are for inbound 
> >        data packets to A.
> > 
> >        Shouldnt the policy that accompanies SA also be in the same
> >        direction as the SA? I.e., I believ, the policy 
> > description sent 
> >        by A should in fact be applicable for the inbound packets to A.
> >        (and, not the outbound as your message above seems to imply).
> 
> Hmm.. I had read it such that the {IDci, IDcr} pair identified the 
> traffic that A was going to send on the SA, and that B used this to 
> key into its SPD in order to verify that it had a matching policy, 
> so I thought it applied to the outbound traffic at A.   
> 
Well, one could have interpreted it either way. What I wrote was my
interpretation. Lot of the ambiguity is apparantly due to overloading
of the ID payload semantics.

cheers, 
suresh

---

References:

• RE: use of client IDs
• From: Bryan Gleeson <BGleeson@shastanets.com>

---

• Prev by Date: RE: use of client IDs
• Next by Date: Re: use of client IDs
• Prev by thread: RE: use of client IDs
• Next by thread: RE: use of client IDs
• Index(es):
  • Main
  • Thread