[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

quick mode "proxy" case

To: ipsec@lists.tislabs.com
Subject: quick mode "proxy" case
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Tue, 10 Sep 2002 15:52:55 +0200
Cc: Jari Arkko <jari.arkko@kolumbus.fi>
Sender: owner-ipsec@lists.tislabs.com

RFC 2409 specifies:

  The identities of the SAs negotiated in Quick Mode are implicitly
   assumed to be the IP addresses of the ISAKMP peers, without any
   implied constraints on the protocol or port numbers allowed, unless
   client identifiers are specified in Quick Mode.  If ISAKMP is acting
   as a client negotiator on behalf of another party, the identities of
   the parties MUST be passed as IDci and then IDcr.  Local policy will
   dictate whether the proposals are acceptable for the identities
   specified.  If the client identities are not acceptable to the Quick
   Mode responder (due to policy or other reasons), a Notify payload
   with Notify Message Type INVALID-ID-INFORMATION (18) SHOULD be sent.

In order to make the discussion clearer I propose this terminology:
 - for these phase 2 identities: "traffic selectors"
 - for the case where the initiator acts on behalf of another party:
   the "proxy" case
 - for the "local policy" requirement: "authorization".

The question is: [how] do you implement the "proxy" case for
transport mode? (please provide the interesting details!)

Regards

Francis.Dupont@enst-bretagne.fr

PS: a better wording for the SOI should be wellcome (as I am afraid
this is rarely implemented because not understood or not understable
by users).

Follow-Ups:
- Re: quick mode "proxy" case
  - From: "Saket Dandawate" <sdandawate@pace.stpp.soft.net>

Prev by Date: RE: It's all over (except for the screaming & shouting).
Next by Date: Re: quick mode "proxy" case
Prev by thread: Trouble in IPSec VPN land
Next by thread: Re: quick mode "proxy" case
Index(es):
- Date
- Thread