[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: "Me Tarzan, You Jane" in IKEv2-05
So, what is Notify payload designed for? It can handle this kind of
thing perfectly. What we need is to assign another notify type, as Dan
said. Those sites which hosts multiple domain names must support this
notify type.
Thanks,
Jimmy Zhang
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com] On Behalf Of Henry Spencer
> Sent: Tuesday, March 18, 2003 11:16 AM
> To: IP Security List
> Subject: RE: "Me Tarzan, You Jane" in IKEv2-05
>
>
> On Tue, 18 Mar 2003, Geoffrey Huang wrote:
> > > How. I'm mcr@sandelman.ca.
> > > What service do I want to connect to? Tell me.
> >
> > *I* can't tell you that because *I* am not the security
> gateway ;-).
> > This has to be a policy decision configured at the gateway.
>
> Suppose this is *not* a VPN, so it's *not* preconfigured down
> to the last detail. Then there is no policy which says which
> service mcr@sandelman.ca might want, because there is no way
> to tell that in advance.
>
> Even if it is preconfigured, for that matter, there might be
> more than one service he might want, and hence no way to
> intuit a single answer.
>
> > ...you're mcr@sandelman.ca, what optional IDr would you present?
> > security-gateway.sandelman.ca?
>
> Why would he present a name associated with him? IDr is
> meant to be an identity meaningful on the responder, not on
> the initiator. He would ask for, say,
> area51.topsecretRandD.cisco.com. There's no way you can
> infer that from mcr@sandelman.ca.
>
>
> Henry Spencer
>
> henry@spsystems.net
>
>