[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ID payload on phase 2.



  The ID payload describes the selector for which IP packets will be
applied some IPSec transforms. If your selector is for all TCP packets
between net 10.10.10/24 and host 10.20.20.2 then that is what would
be conveyed in the ID payloads during phase 2. IKE would've been started
because there were no IPSec SAs for TCP packets from 10.10.10/24 to
10.20.20.2 and once an IKE SA is established with 10.20.20.2 from the
gateway which protects 10.10.10/24 that gateway would initiate a phase
2 exchange with IDs for 10.10.10/24/tcp/0 and 10.20.20.2/tcp/0.

  Dan.

On Tue, 07 Dec 1999 15:09:13 +0900 you wrote
> Hi folks, Let me know my questions.
> 
> Which IP address is included in ID payload on Phase 2 ?  Draft says that
> If there is no ID payload, then ID is the IP address of the IKE peers.
> But I'm confusing if there is ID payload.
> 
> Assumed that we will create the SAs between SG1 and SG2.  In section 6.2
> in draft-ietf-ipsec-ike-01.txt, 5th paragraph means:
> 
> 	1. IDi2, IDr2 means which nodes having the IP address are
> 	   protected by the SAs.
> 	        IDi2 ----- SG1 ====== SG2 ----- IDr2
> 	     or
> 	             SG1(IDi2) ====== SG2(IDr2)
> 
> 	2. IDi2, IDr2 means the IP address of the end of the IPsec-SA.
>               X ----- SG1(IDi2) ===== SG2(IDr2)----- Y
> 
> I think #1 is right because ID is used to decide acceptable proposal.
> If so, I will have next question.  Which is IP address used as the IP
> address of the end of the IPsec-SA ?
> Is the end of the IKE-SA's IP address always same to the IPsec-SA's ?
> If node has some IP address, then is there a potential that multiple SA
> based IP address is created, but same nodes are communicating ?
> 
> 	node A               node B
> 	  IPa1 ---- SA1 ----> IPb
> 	  IPa2 ---- SA2 ----> IPb
> 	  IPa3 ---- SA3 ----> IPb
> 
> I think it is useful something if the IKE peers can exchange the end of
> the IP address of IPsec-SA on phase 2.
> 
> Regareds,
> 
> /Shoichi `NE' Sakane @ KAME project/


Follow-Ups: References: