[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
>
> Pyda,
>
> > 1. In a quick mode, SA proposals and optional ID/policy payload
> > are exchanged in one swoop. So, there is no question of trust
> > relationship being established ahead of policy exchange.
>
> What I had in mind was the ISAKMP SA establishment that must occur
> before the IPSEC SA establishment, thus the remote negotiating peer
> has already been successfully authenticated before the Quick Mode
> exchange starts.
>
I understand.
> > 2. Next, the issue of policy direction.
> >
> > During SA negotiation, IKE client for A sends proposals to B.
> > The SA that is represented by these proposals are for inbound
> > data packets to A.
> >
> > Shouldnt the policy that accompanies SA also be in the same
> > direction as the SA? I.e., I believ, the policy
> > description sent
> > by A should in fact be applicable for the inbound packets to A.
> > (and, not the outbound as your message above seems to imply).
>
> Hmm.. I had read it such that the {IDci, IDcr} pair identified the
> traffic that A was going to send on the SA, and that B used this to
> key into its SPD in order to verify that it had a matching policy,
> so I thought it applied to the outbound traffic at A.
>
Well, one could have interpreted it either way. What I wrote was my
interpretation. Lot of the ambiguity is apparantly due to overloading
of the ID payload semantics.
cheers,
suresh
References: