[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
Pyda Srisuresh wrote:
>
> A couple of clarifications (at least for myself) to note:
>
> 1. In a quick mode, SA proposals and optional ID/policy payload
> are exchanged in one swoop. So, there is no question of trust
> relationship being established ahead of policy exchange.
This is one portion of this discussion that confuses me, i.e. the
references to 'policy exchange'. Somebody help me out here: when is
policy *ever* exchanged?
My understanding is this: my policy is a local matter, completely
defined at my discretion. I *never* send you my policy. Rather, I offer
proposals to which you respond. I really don't understand when I hear
the ID payload called a 'policy' payload.
I reiterate from an earlier post: the policy implementation for the
current ipsec suite assumes an identity-based policy model, as opposed
to a rule-based policy model. Inherent in such a model is the need for
some sort of identification, and the ID payload serves this purpose. So
far as I can tell, that is precisely its reason for existence.
If I'm missing something, somebody please correct me.
References: