RE: use of client IDs

[Bryan Gleeson <BGleeson@shastanets.com>]

Scott,

> This is one portion of this discussion that confuses me, i.e. the
> references to 'policy exchange'. Somebody help me out here: when is
> policy *ever* exchanged?
> 
> My understanding is this: my policy is a local matter, completely
> defined at my discretion. I *never* send you my policy. 
> Rather, I offer
> proposals to which you respond. I really don't understand when I hear
> the ID payload called a 'policy' payload.
> 
> I reiterate from an earlier post: the policy implementation for the
> current ipsec suite assumes an identity-based policy model, as opposed
> to a rule-based policy model. Inherent in such a model is the need for
> some sort of identification, and the ID payload serves this 
> purpose. So
> far as I can tell, that is precisely its reason for existence.
> 
> If I'm missing something, somebody please correct me.

I previously posed a question about what is the definition of the 
"thing" that client/proxy negotiation is done on behalf of - is it a
host, 
host interface, flow, aggregate flow, group of hosts that share a 
common address prefix, a group of hosts that may share more than one 
address prefix, all of the above, or something else ? Given that the 
payload with the name "Identity" can represent many of these things,
and in the future may be able to represent an even richer set of things,
the issue is that in practice the payload with the name "Identity" does
in 
fact semantically represent something that in many people's view is 
"Policy", e.g. the set of packets that are allowed on a particular SA. 
 
Bryan

---

• Prev by Date: Re: use of client IDs
• Next by Date: Re: KEA and SKIPJACK declassified
• Prev by thread: Re: use of client IDs
• Next by thread: In tunnel mode why options are not copied to outer IP header
• Index(es):
  • Main
  • Thread