[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD name entries & IKE

To: vamsi <vamsi@xxxxxxxxxxxxx>
Subject: Re: SPD name entries & IKE
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 21 Jan 2004 16:21:06 -0500
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 12:13 -0800 1/21/04, vamsi wrote:

Some implementation, including ours, identify the remote roaming user by their ID (ID in certificate OR ID from the payload) and corresponding SPD policies are activated upon phase1 completion. While activating the SPD policies, the Destiantion IP address of outbound policies and Source IP address of corresponding incoming policies are changed to the remote user's IP address (Source IP of phase1 first message). Due to this, Quick Mode (QM) succeeds and finds the right SPD policy by matching with the selectors.

At the end of phase1 and phase2 SA termination and if no phase1 is initiated by remote client for some duration of time, corresponding SPD policies are de-activated and go to dormant state.

Due to this, I don't see any need for searching for SPD policy based on symbolic name, during QM. It might offer other advantages, but for this scenario, I don't see the need.

Thanks for the explanation of how you resolve the ambiguity. A few details are missing from your description, so let me try to fill them in, and you can correct me if I guess wrong.

First, you said that you use the name from the payload (or cert Subject) to select an SPD entry. This suggests that a given ID always is used to select an named SPD entry, or never is used. (In the new model, the PAD is where this info could be maintained.) However, this is not a completely general solution, although it may be fine in many contexts. For example, if I use my laptop as a road warrior sometimes but as my desktop machine at other times (which is exactly what I do) I'll always be mapped to a name-based SPD entry. This might not always be the desired effect.

also, I'm focusing on IKEv2, not IKEv1, something I should have made clear in my message. your message seems to emphasize QM, and what I am looking to describe is a uniform mechanism, in the IKE v2 context.

Let's hear from other vendors to see if there is common approach we can describe in 2401bis, or if we need to do something new (for IKVv2).

Thanks,

Steve

Follow-Ups:
- Re: SPD name entries & IKE
  - From: vamsi

References:
- Re: SPD name entries & IKE
  - From: vamsi

Prev by Date: Re: SPD name entries & IKE
Next by Date: Re: SPD name entries & IKE
Previous by thread: Re: SPD name entries & IKE
Next by thread: Re: SPD name entries & IKE
Index(es):
- Date
- Thread