[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD name entries & IKE
At 12:13 -0800 1/21/04, vamsi wrote:
>Some implementation, including ours, identify the remote roaming
>user by their ID (ID in certificate
>OR ID from the payload) and corresponding SPD policies are activated
>upon phase1 completion.
>While activating the SPD policies, the Destiantion IP address of
>outbound policies and Source IP address
>of corresponding incoming policies are changed to the remote user's
>IP address (Source IP of phase1 first message).
>Due to this, Quick Mode (QM) succeeds and finds the right SPD policy
>by matching with the selectors.
>
>At the end of phase1 and phase2 SA termination and
>if no phase1 is initiated by remote client for some duration of
>time, corresponding SPD policies are de-activated and go
>to dormant state.
>
>Due to this, I don't see any need for searching for SPD policy based
>on symbolic name, during QM.
>It might offer other advantages, but for this scenario, I don't see the need.
Thanks for the explanation of how you resolve the ambiguity. A few
details are missing from your description, so let me try to fill them
in, and you can correct me if I guess wrong.
First, you said that you use the name from the payload (or cert
Subject) to select an SPD entry. This suggests that a given ID always
is used to select an named SPD entry, or never is used. (In the new
model, the PAD is where this info could be maintained.) However, this
is not a completely general solution, although it may be fine in many
contexts. For example, if I use my laptop as a road warrior sometimes
but as my desktop machine at other times (which is exactly what I do)
I'll always be mapped to a name-based SPD entry. This might not
always be the desired effect.
also, I'm focusing on IKEv2, not IKEv1, something I should have made
clear in my message. your message seems to emphasize QM, and what I
am looking to describe is a uniform mechanism, in the IKE v2 context.
Let's hear from other vendors to see if there is common approach we
can describe in 2401bis, or if we need to do something new (for
IKVv2).
Thanks,
Steve