[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use of client IDs
Pyda Srisuresh wrote:
<trimmed...>
> > > > Policy is a local matter. Gateways with differing policies may or may
> > > > not communicate, depending upon the intersection of their policy sets.
> > > >
<trimmed...>
> Let me expand a bit on what I am trying to say here.
>
> It is not good enough for policies to intersect. They must match.
> Alternately, where only a subset of a policy matches, the receiving
> node must be prepared to split the original policy into one that
> has a match and one that doesnt have match. That could get messy.
Re-read the post: the policy sets must intersect. If they don't, the
negotiations will fail. Think about it.
>
> Another subtle item is the sequencing of policies on either end.
> It is quite possible to have SAs established with matching policies
> and still have the packets blackholed, because the policy ordering
> is not the same on both ends.
No. The architecture document specifically prescribes the methodology
for avoiding this pitfall.
<trimmed...>
> As far as I can tell, policies are exchanged between peer nodes. Without
> that, you cannot be certain peer nodes will utlize the right SAs for
> secure data transmission. While policies may be determined locally, they
> need to be exchanged with the appropriate peer nodes.
As stated in the previous post, policies are not exchanged - identities
may be, and proposals always are.
References: