[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Don't remove TS from IKEv2

To: Michael Choung Shieh <mshieh@netscreen.com>
Subject: RE: Don't remove TS from IKEv2
From: Stephen Kent <kent@bbn.com>
Date: Thu, 21 Mar 2002 10:14:55 -0500
Cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <9D048F4A422CD411A56500B0D0209C5B028F3DB5@NS-CA>
References: <9D048F4A422CD411A56500B0D0209C5B028F3DB5@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

At 12:18 PM -0800 3/20/02, Michael Choung Shieh wrote:
>An id or name (I mean phase 2 sa id, not phase 1) can represent the "scope",
>either it's a single address, or the combination of 10 adresses and 5
>subnets and 6 ranges and 3 sevices.

Not sure what you mean by this comment. The names defined in 2401 as 
selectors were intended only for symbolic replacements for individual 
IP addresses, where the specific addresses are instantiated when the 
SA is established. Thus, for example, an IKE responder could have an 
SPD entry with the name of an individual, to support a mobile user. 
When the user connects from the Internet, he presents a certificate 
with a name that matches the SPD entry. Assuming the certificate is 
appropriately validated, the responder should create a transient SPD 
entry (or, in the new model, an SPD cache entry) that takes the 
original SPD entry and substitutes the IP address for the name. There 
was never an intent that the name forms be used in any selector other 
than the IP addresses. I admit that 2401 did not do a good job of 
explaining this, but we plan to clarify in the rev of 2401.

Steve

References:
- RE: Don't remove TS from IKEv2
  - From: Michael Choung Shieh <mshieh@netscreen.com>

Prev by Date: Re: divergent interpretations of IKE/IPsec - interop issues
Next by Date: Bake-Off Anyone?
Prev by thread: Re: Don't remove TS from IKEv2
Next by thread: RE: Don't remove TS from IKEv2
Index(es):
- Date
- Thread