[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD Selector (Newbie) Question

To: ipsec@lists.tislabs.com
Subject: Re: SPD Selector (Newbie) Question
From: Joern Sierwald <joern.sierwald@F-Secure.com>
Date: Thu, 02 Aug 2001 09:31:46 +0200
In-Reply-To: <1750576405.20010802032232@dungeonmaster.at>
Sender: owner-ipsec@lists.tislabs.com

At 03:22 02.08.01 +0200, you wrote:
>Hello,
>
>i am writing on my diploma thesis about VPNs (not in english as you
>may guess ;)) and have a question which may someone of you can answer.
>If this is not the place to ask such questions i am sorry, but i
>couldn¥t find a newsgroup for IPSec, if there is another newsgroup or
>list that fits better please tell me and i will no longer bother you
>=)
>

Don't worry, you found the correct list.

>In RFC2401 (Security Architecture for the Internet Protocoll) on page
>17 it is mentioned that in the SPD there can be used IP-Adresses (and
>adress ranges) or Identifiers like names. Now my question: Suppose i
>want to use names, how does a security gateway match incoming
>IP-packets from the local subnet (which should be sent secured over
>the internet to somewhere else) to those names? The hosts will not
>send identifiers along with every IP-packet i guess, so how does it
>work? If every SPD-entry has to have ip-adresses in addition to the
>name, what is the name good for?
>
>hope you can help me
>
>Marco

"names" in the SPD are only used for the Phase 1, the authentication part.

The most natural ID for a computer is it's IP address. So you normally
put that into the certificate and send an ID payload containing the IP
address.
But there are situations where this won't work. Most common is
a client using dialup. Now this client has to use more other ID.
In this case the client might send the full distiguished name of
his certificate, not containing any IP address. In order to accept that,
the SPD might contain that distinguished name.
The same works for email addresses, which can be used as IKE ID payloads.
The client sends it, and the GW looks up his SPD for it.

>work? If every SPD-entry has to have ip-adresses in addition to the
>name, what is the name good for?
Well, this SPD-entry for the client will _not_ have an ip address in it.

In Phase 2, only IP addresses, ranges and subnets are used for ID payloads.

J–rn Sierwald, www.f-secure.com

References:

SPD Selector (Newbie) Question

From: Marco Ender <marco.ender@dungeonmaster.at>

Prev by Date: RE: IPSec performance statistics
Next by Date: RE: IPSec performance statistics
Prev by thread: SPD Selector (Newbie) Question
Next by thread: Position statement on IKE development
Index(es):
- Main
- Thread