[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC Policy Selectors and ISAKMP

To: "IPSEC" <ipsec@tis.com>
Subject: IPSEC Policy Selectors and ISAKMP
From: "John Irish" <irishjd@erols.com>
Date: Mon, 9 Nov 1998 17:30:59 -0500
Sender: owner-ipsec@ex.tis.com

After spending considerable time reviewing the various IETF draft documents
(i.e., [ARCH] Security Architecture for the IP, ISAKMP, and the [DOI]
Internet IP Security DOI for ISAKMP), I am unable to answer the following
questions and would appreciate any insight you may offer.

1.  The [ARCH] specifies the various Selectors which may be used in
constructing, and identifying, a policy entry to be used in establishing a
Security Association (SA).  I understand how the ISAKMP Initiator may
examine the packet, or other available identification information, in
locating the appropriate outbound policy.  However, I question how the
appropriate Selectors may be conveyed to the ISAKMP Responder, during a
phase-2 negotiation, so that the Responder may identify the appropriate
policy within its database.  Neither the DOI Situation, nor Identification
payloads, can convey all the Selector values known by the ISAKMP Initiator
which could possibly be needed by the Responder in locating a policy entry.

2.  The [DOI] defines the Identification payload which provides a single
Port value and possibly an address identifier.  The [DOI] does not specify
the context of these Identification values for the Initiator.  Do they
represent the source values of the resulting inner or outer IP header?

3.  Presuming the specification of an address range/subnet, within an ISAKMP
Identification payload, is based upon a selected outbound policy entry, is
it assumed that the ISAKMP Responder must have a corresponding policy entry
for this range/subnet?  What happens if the Responders inbound policy is
based upon User Identification, not address?

4.  Given the variety of ISAKMP Identification payloads which could be sent
during SA negotiation, how does one side know what form of Identification is
acceptable to the other side?  Is it assumed that the exact same policy
entry (based upon a set of selector values), is used by both sides?

Thanks for the help!

John Irish

Prev by Date: Re: transform tunnel/transport attributes
Next by Date: two questions?
Prev by thread: A question about XAUTH
Next by thread: two questions?
Index(es):
- Main
- Thread