[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: SPD & IKE phase2 IDs

To: Ichiro MIYAJIMA <miyajima@paso.fujitsu.co.jp>
Subject: Re: Q: SPD & IKE phase2 IDs
From: Ben McCann <bmccann@indusriver.com>
Date: Mon, 06 Mar 2000 07:51:16 -0500
CC: ipsec@lists.tislabs.com
References: <200003061204.VAA02636@orange.ap.paso.fujitsu.co.jp>
Sender: owner-ipsec@lists.tislabs.com

I interpret RFC2401 to require support for both cases:

> [No.1] :
> Phase 2(Quick Mode) ID payload
>         IDci = 192.168.20.5
>         IDcr = 192.168.21.8
>         ID Type = ID_IPV4_ADDR
> 
> or
> 
> [No.2] :
> Phase 2(Quick Mode) ID payload
>         IDci = 192.168.20.0/24
>         IDcr = 192.168.21.0/24
>         ID Type = ID_IPV4_ADDR_SUBNET
> 

This is a policy decision made by the administrator that is stored
in the policy bound to the SPD rule. A rule can generate new SAD
entries that are initialized from the packet (i.e. your case 1)
or they can generate an SAD entry that duplicates the filter defined
in the SPD (i.e. your case 2).

-Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111

References:

Q: SPD & IKE phase2 IDs

From: Ichiro MIYAJIMA <miyajima@paso.fujitsu.co.jp>

Prev by Date: RE: Q: Why IPSEC to be used only in CBC mode & not other like CFB or OFB ?
Next by Date: Re: Q: SPD & IKE phase2 IDs
Prev by thread: Q: SPD & IKE phase2 IDs
Next by thread: Re: Q: SPD & IKE phase2 IDs
Index(es):
- Main
- Thread