[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: use of client IDs



Pyda Srisuresh wrote:
> 
>     A couple of clarifications (at least for myself) to note:
> 
>     1. In a quick mode, SA proposals and optional ID/policy payload
>        are exchanged in one swoop. So, there is no question of trust
>        relationship being established ahead of policy exchange.


This is one portion of this discussion that confuses me, i.e. the
references to 'policy exchange'. Somebody help me out here: when is
policy *ever* exchanged?

My understanding is this: my policy is a local matter, completely
defined at my discretion. I *never* send you my policy. Rather, I offer
proposals to which you respond. I really don't understand when I hear
the ID payload called a 'policy' payload.

I reiterate from an earlier post: the policy implementation for the
current ipsec suite assumes an identity-based policy model, as opposed
to a rule-based policy model. Inherent in such a model is the need for
some sort of identification, and the ID payload serves this purpose. So
far as I can tell, that is precisely its reason for existence.

If I'm missing something, somebody please correct me.


References: