Re: matching GW addr to ID payload (fwd)

[Slava Kavsan <bkavsan@ire-ma.com>]

Well... in this case neither my scheme nor Jan's scheme are going to work with
NAT.
Unless users are willing to switch to alternatives like Aggressive Mode or
Certificate-based authentication, NAT users will be out of luck :((
.

"CHINNA N.R. PELLACURU" wrote:

> On Fri, 3 Dec 1999, Slava Kavsan wrote:
>
> > "CHINNA N.R. PELLACURU" wrote:
> >
> > > Is this acceptable, or should we enforce that ID and the IP address used
> > > should be equal?
> >
> > I would say yes in the case when ID Payload contains IP Address type.
> > But we should also allow to have ID Payload to contain FQDN type (and other
> > non-IP IDs) and is use it to select the Policy entry.
> >
> >
> >
>
> If you do not check that the ID used to search the pre-shared key is the
> same as the ID payload content, then you should not use the ID payload
> content to select policy. IE, in MM using pre-shared keys, only the source
> IP address on the negotiation can be used to select policy.
>
> If I know the pre-shared key associated with IP1, then the gateway should
> select the policy associated with IP1, and should not select the policy
> based on what I sent in the ID payload (if this is different from IP1).
>
> -chinna
>
> chinna narasimha reddy pellacuru
> s/w engineer

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-539-4816
http://www.ire.com

---

Follow-Ups:

• Re: matching GW addr to ID payload (fwd)
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• Re: matching GW addr to ID payload (fwd)
• From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

---

• Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-flow-monitoring-mib-00.txt
• Next by Date: Re: IPSec SA DELETE in "dangling" implementation
• Prev by thread: Re: matching GW addr to ID payload (fwd)
• Next by thread: Re: matching GW addr to ID payload (fwd)
• Index(es):
  • Main
  • Thread