Re: use of client IDs

["Scott G. Kelly" <skelly@redcreek.com>]

Pyda Srisuresh wrote:
<trimmed...>
> > > > Policy is a local matter. Gateways with differing policies may or may
> > > > not communicate, depending upon the intersection of their policy sets.
> > > >
<trimmed...>

> Let me expand a bit on what I am trying to say here.
> 
>    It is not good enough for policies to intersect. They must match.
>    Alternately, where only a subset of a policy matches, the receiving
>    node must be prepared to split the original policy into one that
>    has a match and one that doesnt have match. That could get messy.

Re-read the post: the policy sets must intersect. If they don't, the
negotiations will fail. Think about it.

> 
>    Another subtle item is the sequencing of policies on either end.
>    It is quite possible to have SAs established with matching policies
>    and still have the packets blackholed, because the policy ordering
>    is not the same on both ends.

No. The architecture document specifically prescribes the methodology
for avoiding this pitfall.

<trimmed...>
> As far as I can tell, policies are exchanged between peer nodes. Without
> that, you cannot be certain peer nodes will utlize the right SAs for
> secure data transmission. While policies may be determined locally, they
> need to be exchanged with the appropriate peer nodes.

As stated in the previous post, policies are not exchanged - identities
may be, and proposals always are.

---

References:

• Re: use of client IDs
• From: Pyda Srisuresh <suresh@livingston.com>

---

• Prev by Date: Re: use of client IDs
• Next by Date: RE: use of client IDs
• Prev by thread: Re: use of client IDs
• Next by thread: RE: use of client IDs
• Index(es):
  • Main
  • Thread