[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD name entries & IKE

To: vamsi <vamsi@intotoinc.com>
Subject: Re: SPD name entries & IKE
From: Stephen Kent <kent@bbn.com>
Date: Wed, 21 Jan 2004 16:21:06 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: <5.2.0.9.0.20040121115311.02b8c670@10.1.5.10>
References: <5.2.0.9.0.20040121115311.02b8c670@10.1.5.10>
Sender: owner-ipsec@lists.tislabs.com

At 12:13 -0800 1/21/04, vamsi wrote:
>Some implementation, including ours, identify the remote roaming 
>user by their ID (ID in certificate
>OR ID from the payload) and corresponding SPD policies are activated 
>upon phase1 completion.
>While activating the SPD policies, the Destiantion IP address of 
>outbound policies and Source IP address
>of corresponding incoming policies are changed to the remote user's 
>IP address (Source  IP of phase1 first message).
>Due to this, Quick Mode (QM) succeeds and finds the right SPD policy 
>by matching with the selectors.
>
>At the end of phase1 and phase2  SA termination and
>if no phase1 is initiated by remote client for some duration of 
>time, corresponding SPD policies are de-activated and go
>to dormant state.
>
>Due to this, I don't see any need for searching for SPD policy based 
>on symbolic name, during QM.
>It might offer other advantages, but for this scenario, I don't see the need.

Thanks for the explanation of how you resolve the ambiguity. A few 
details are missing from your description, so let me try to fill them 
in, and you can correct me if I guess wrong.

First, you said that you use the name from the payload (or cert 
Subject) to select an SPD entry. This suggests that a given ID always 
is used to select an named SPD entry, or never is used. (In the new 
model, the PAD is where this info could be maintained.) However, this 
is not a completely general solution, although it may be fine in many 
contexts. For example, if I use my laptop as a road warrior sometimes 
but as my desktop machine at other times (which is exactly what I do) 
I'll always be mapped to a name-based SPD entry. This might not 
always be the desired effect.

also, I'm focusing on IKEv2, not IKEv1, something I should have made 
clear in my message. your message seems to emphasize QM, and what I 
am looking to describe is a uniform mechanism, in the IKE v2 context.

Let's hear from other vendors to see if there is common approach we 
can describe in 2401bis, or if we need to do something new (for 
IKVv2).

Thanks,

Steve

Follow-Ups:
- Re: SPD name entries & IKE
  - From: vamsi <vamsi@intotoinc.com>

References:
- Re: SPD name entries & IKE
  - From: vamsi <vamsi@intotoinc.com>

Prev by Date: Re: an SPD syntax example
Next by Date: Re: an SPD syntax example
Previous by thread: Re: SPD name entries & IKE
Next by thread: Re: SPD name entries & IKE
Index(es):
- Date
- Thread