[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: matching GW addr to ID payload (fwd)

To: Slava Kavsan <bkavsan@ire-ma.com>
Subject: Re: matching GW addr to ID payload (fwd)
From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>
Date: Fri, 3 Dec 1999 11:07:09 -0800 (PST)
cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-Reply-To: <38480C53.D3D8FC42@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 3 Dec 1999, Slava Kavsan wrote:

> "CHINNA N.R. PELLACURU" wrote:
> 
> > Is this acceptable, or should we enforce that ID and the IP address used
> > should be equal?
> 
> I would say yes in the case when ID Payload contains IP Address type.
> But we should also allow to have ID Payload to contain FQDN type (and other
> non-IP IDs) and is use it to select the Policy entry.
> 
> 
> 

If you do not check that the ID used to search the pre-shared key is the
same as the ID payload content, then you should not use the ID payload
content to select policy. IE, in MM using pre-shared keys, only the source
IP address on the negotiation can be used to select policy.

If I know the pre-shared key associated with IP1, then the gateway should
select the policy associated with IP1, and should not select the policy
based on what I sent in the ID payload (if this is different from IP1).

-chinna

chinna narasimha reddy pellacuru
s/w engineer

Follow-Ups:

Re: matching GW addr to ID payload (fwd)

From: Slava Kavsan <bkavsan@ire-ma.com>

References:

Re: matching GW addr to ID payload (fwd)

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
Next by Date: Re: IPSec SA DELETE in "dangling" implementation
Prev by thread: Re: matching GW addr to ID payload (fwd)
Next by thread: Re: matching GW addr to ID payload (fwd)
Index(es):
- Main
- Thread