Re: matching GW addr to ID payload (fwd)

[Jan Vilhuber <vilhuber@cisco.com>]

On Fri, 3 Dec 1999, Bronislav Kavsan wrote:
> Chinna,
> 
> Say I have an imaginary implementation  that has two tables:
> 
> 1) Pre-shared Keys table searched by source-ip-address
> 2) Phase 2 Policy Table searched by ID (which could be of all types: FQDN, USER_FQDN, IP
> Address, etc)
> 
> What problem do you see in  using Table #1 to select pre-shared keys and
> using Table #2 to select Phase 2 Policy based on ID Payload?
> 
Unless you link the two tables, you can't do this (for what SHOULD be obvious
reasons). For example, you'd have to require that
ID_USER_FQDN=vilhuber@cisco.com can only log in using source-ip-address
1.1.1.1 and nothing else. Or ID_IPV4=1.1.1.1 can only log in using
source-ip-address 1.1.1.1. Otherwise, if you don't make that link, you can't
use the ID to select policy, since you haven't verified the policy.

And if you DO link the two tables, you don't work anymore through NAT (group
keys or not), which is the current problem.

So you have two options: Do it as you already do, and link the tables, in
which case you CAN pick policy (but then you'll have to also link ID_FQN and
ID_USER_FQDN for the source-ip-address; something I know you currently don't
do), or you ignore the ID payload altogether, and simply pick policy on what
was used to pick the key, i.e. the source-ip-address.

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

---

References:

• Re: matching GW addr to ID payload (fwd)
• From: Bronislav Kavsan <bkavsan@ire-ma.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: matching GW addr to ID payload (fwd)
• Prev by thread: Re: matching GW addr to ID payload (fwd)
• Next by thread: Re: matching GW addr to ID payload (fwd)
• Index(es):
  • Main
  • Thread