[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions about RFC 2409 and Quick Mode identities



I think I need more words to clarify the identities in IKE Quick Mode.

I'm puzzling over the fourth paragraph on page 17 of RFC 2409 (starting
with "The identities of the SAs negotiated in Quick Mode").

At the top of page 18, in the definition of Quick Mode, I see optional
IDci and IDcr identities on both the initiator and responder side.

Since the notation is the same in both columns, does that mean the
values of these identites have to be the same?

That interpretation doesn't make sense to me.  I would have read this
as "the initiator wants to create an outbound SA for traffic whose
source is the IDci and whose destination is the IDcr in the first
message."  Then, the responder says "OK, and I want to create an
outbound SA whose source is the IDcr and whose destination is the IDci
in my response message."  I don't immediately see why the initiator's
(IDci, IDcr) pair must match the responder's.

Also, since the inbound end is the side that specifies the SPI value,
I assume that in the first Quick Mode message, the initiator specifies
the SPI that will be used for the SA the responder requests in the
second message?  Similarly, in the second message, the responder
assigns an SPI to the SA selected from the initiator's proposal list
in the first message?

Thank you in advance for any help.

					- Ken