[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ID payload on phase 2.
> I'm confused. Are you saying that the ID payload
> contains a selector
> such as 10.10.10/24/tcp/0?
>
> According to the DOI RFC (RFC 2407), Section 4.6.2, the
> ID payload may
> contain verious kinds of addresses and names, but not
> selectors. It
> could contain 10.10.10/24 but not 10.10.10/24/tcp/0.
Sure it can. Check out the format of the ID payload from section 4.6.2:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! ID Type ! Protocol ID ! Port !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Identification Data ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note the protocol id and port fields.
Sumit A. Vakil
Caly Networks
>
> Francisco
>
>
> ______________________________ Reply Separator
> _________________________________
> Subject: Re: ID payload on phase 2.
> Author: Non-HP-dharkins (dharkins@network-alchemy.com) at
> HP-ColSprings,mimegw5
> Date: 12/6/99 11:05 PM
>
>
> The ID payload describes the selector for which IP packets will be
> applied some IPSec transforms. If your selector is for all
> TCP packets
> between net 10.10.10/24 and host 10.20.20.2 then that is what would
> be conveyed in the ID payloads during phase 2. IKE would've
> been started
> because there were no IPSec SAs for TCP packets from 10.10.10/24 to
> 10.20.20.2 and once an IKE SA is established with 10.20.20.2 from the
> gateway which protects 10.10.10/24 that gateway would initiate a phase
> 2 exchange with IDs for 10.10.10/24/tcp/0 and 10.20.20.2/tcp/0.
>
> Dan.
>
> On Tue, 07 Dec 1999 15:09:13 +0900 you wrote
> > Hi folks, Let me know my questions.
> >
> > Which IP address is included in ID payload on Phase 2 ?
> Draft says that
> > If there is no ID payload, then ID is the IP address of the
> IKE peers.
> > But I'm confusing if there is ID payload.
> >
> > Assumed that we will create the SAs between SG1 and SG2.
> In section 6.2
> > in draft-ietf-ipsec-ike-01.txt, 5th paragraph means:
> >
> > 1. IDi2, IDr2 means which nodes having the IP address are
> > protected by the SAs.
> > IDi2 ----- SG1 ====== SG2 ----- IDr2
> > or
> > SG1(IDi2) ====== SG2(IDr2)
> >
> > 2. IDi2, IDr2 means the IP address of the end of the
> IPsec-SA.
> > X ----- SG1(IDi2) ===== SG2(IDr2)----- Y
> >
> > I think #1 is right because ID is used to decide acceptable
> proposal.
> > If so, I will have next question. Which is IP address used
> as the IP
> > address of the end of the IPsec-SA ?
> > Is the end of the IKE-SA's IP address always same to the
> IPsec-SA's ?
> > If node has some IP address, then is there a potential that
> multiple SA
> > based IP address is created, but same nodes are communicating ?
> >
> > node A node B
> > IPa1 ---- SA1 ----> IPb
> > IPa2 ---- SA2 ----> IPb
> > IPa3 ---- SA3 ----> IPb
> >
> > I think it is useful something if the IKE peers can
> exchange the end of
> > the IP address of IPsec-SA on phase 2.
> >
> > Regareds,
> >
> > /Shoichi `NE' Sakane @ KAME project/
>