[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ID payload on phase 2.

To: ipsec@lists.tislabs.com
Subject: ID payload on phase 2.
From: Shoichi Sakane <sakane@ydc.co.jp>
Date: Tue, 7 Dec 1999 15:09:13 +0900 (JST)
Sender: owner-ipsec@lists.tislabs.com

Hi folks, Let me know my questions.

Which IP address is included in ID payload on Phase 2 ?  Draft says that
If there is no ID payload, then ID is the IP address of the IKE peers.
But I'm confusing if there is ID payload.

Assumed that we will create the SAs between SG1 and SG2.  In section 6.2
in draft-ietf-ipsec-ike-01.txt, 5th paragraph means:

	1. IDi2, IDr2 means which nodes having the IP address are
	   protected by the SAs.
	        IDi2 ----- SG1 ====== SG2 ----- IDr2
	     or
	             SG1(IDi2) ====== SG2(IDr2)

	2. IDi2, IDr2 means the IP address of the end of the IPsec-SA.
              X ----- SG1(IDi2) ===== SG2(IDr2)----- Y

I think #1 is right because ID is used to decide acceptable proposal.
If so, I will have next question.  Which is IP address used as the IP
address of the end of the IPsec-SA ?
Is the end of the IKE-SA's IP address always same to the IPsec-SA's ?
If node has some IP address, then is there a potential that multiple SA
based IP address is created, but same nodes are communicating ?

	node A               node B
	  IPa1 ---- SA1 ----> IPb
	  IPa2 ---- SA2 ----> IPb
	  IPa3 ---- SA3 ----> IPb

I think it is useful something if the IKE peers can exchange the end of
the IP address of IPsec-SA on phase 2.

Regareds,

/Shoichi `NE' Sakane @ KAME project/

Follow-Ups:

Re: ID payload on phase 2.

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: interpretation of SA bundle.
Next by Date: Re: ID payload on phase 2.
Prev by thread: RE: interpretation of SA bundle.
Next by thread: Re: ID payload on phase 2.
Index(es):
- Main
- Thread