Re: 2401bis Issue # 89 -- Remove the selector "name"

["Scott G. Kelly" <scott@airespace.com>]

Hi Tero,

Tero Kivinen wrote:
 > Paul Hoffman / VPNC writes:
 >
 >>At 8:57 AM -0700 10/23/03, Scott G. Kelly wrote:
 >>
 >>>The name selector is often used for remote access, and maybe for
 >>>other applications. I know of several ipsec implementations which
 >>>use fqdn for remote access policy selection, and without DN, how do
 >>>we apply access controls based on certs?
 >
 >
 > Are they really using it as an IPsec SA selector? I.e not as an IKE SA
 > identity, but as traffic selector field (there is no way to send that
 > in the IKEv2 anymore).
 >
 > The selectors defined in the RFC2401 are for the SPD, and I think that
 > they should be matching something in the packet. The name selector in
 > SPD case was something, where you tied SPD entry to the username of
 > the user who opened the socket.

I guess this is somewhat open to interpretation, but I would say the SAD 
  selectors must match the packet, but the SPD selectors must be able to 
represent policy absent a connection - i.e. they must be able to 
represent names in cases where numeric identifiers are not known a 
priori. So, I'm saying that SPD selectors may take on values SAD 
selectors cannot. I think this reflects the intent of 2401, but Steve 
Kent can correct me if not.

Note that this assumes that the SPD really is THE Security Policy 
Database - the *definitive* statement of security policy for the ipsec 
implementation - and that there is no other independent policy db in the 
implementation which is used by ike.

It depends upon how you implement your spd, sad, ike policies, etc, as 
to where the name selector gets used. I think it is logical and 
convenient to extract ike policy into a local representation for the ike 
task, rather than having it always query the ipsec engine for policies, 
though this is an implementation choice, and not a requirement.

I look at it like this: when ike receives a negotiation request from an 
unknown IP address, the remote client must present an identifier (keyid 
or name). In a past life, I implemented the SPD such that there were 
numeric or name IDs possible in selector fields.

If the ike ID was a named type, the name was used in the spd lookup, and 
assuming IKE completed successfully, a SAD entry containing the client's 
numeric selectors would be created, and this would point back to the 
associated SPD entry.

It's clear to me that not everyone would implement this way; I've seen 
implementations where separate DBs for IKE are created, but ultimately, 
the ike task is negotiating on behalf of the rfc2401 implementation, so 
it seems the rfc2401 policy should reflect the identities somehow.

Regardless of how you implement this (names in the SPD, names in ike 
code), we need names. If we remove them from 2401, we have to put them 
into ikev2, else we lose the functionality entirely.

Scott