[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # 89 -- Remove the selector "name"
Paul Hoffman / VPNC writes:
> At 8:57 AM -0700 10/23/03, Scott G. Kelly wrote:
> >The name selector is often used for remote access, and maybe for
> >other applications. I know of several ipsec implementations which
> >use fqdn for remote access policy selection, and without DN, how do
> >we apply access controls based on certs?
Are they really using it as an IPsec SA selector? I.e not as an IKE SA
identity, but as traffic selector field (there is no way to send that
in the IKEv2 anymore).
The selectors defined in the RFC2401 are for the SPD, and I think that
they should be matching something in the packet. The name selector in
SPD case was something, where you tied SPD entry to the username of
the user who opened the socket.
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/