[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP identification types

To: "John Irish" <irishjd@erols.com>
Subject: Re: ISAKMP identification types
From: "Derrell D. Piper" <ddp@network-alchemy.com>
Date: Mon, 14 Dec 1998 15:39:27 -0800
cc: "IPSEC" <ipsec@tis.com>
In-reply-to: Your message of "Mon, 14 Dec 1998 15:10:18 EST." <00ad01be279d$c61a1760$0100010a@irish1>
Sender: owner-ipsec@ex.tis.com

The short answer is, yes.  They were a subset by design.  The interpretation
of an IKE endpoint identity that is not an IP address or subnet is somewhat
nebulous.  To ensure interoperability amongst initial IKE implementations we
wanted to keep it simple.  Note that the Phase 1 identity list is constrained
by the DOI specified in the associated Phase 1 negotiation.  If you specify
the IPSEC DOI, you are free to use the identity types defined in the IPSEC
DOI.  It's only when you specify a DOI of zero that you're constrained by the
"generic" ISAKMP identity type list in Appendix A.

Derrell

References:

ISAKMP identification types

From: "John Irish" <irishjd@erols.com>

Prev by Date: ISAKMP identification types
Next by Date: RE: compression before encryption
Prev by thread: ISAKMP identification types
Next by thread: Selectors and Transport Layer Protocol
Index(es):
- Main
- Thread