[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Negotiating IKE_SAs

To: David Wierbowski <wierbows@xxxxxxxxxx>
Subject: Re: [Ipsec] Negotiating IKE_SAs
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 7 Nov 2006 13:50:22 -0500
Cc: ipsec@xxxxxxxx
In-reply-to: <OF9A29B92D.DB37C602-ON8525721F.00010E40-8525721F.00053A2E@xxxxxxxxxx>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <OF9A29B92D.DB37C602-ON8525721F.00010E40-8525721F.00053A2E@xxxxxxxxxx>
Sender: owner-ietf-ipsec@xxxxxxxxxxxxx

At 7:57 PM -0500 11/6/06, David Wierbowski wrote:
...

RFC 4301 discusses the use of the SPD to find acceptable policy forthe creation of CHILD_SAs and it discusses the use of the PAD toauthenticate IKE endpoints. It does not appear to define a constructto identify what policy is acceptable for the creation of a of anIKE_SA with a specific IKE peer. Does this mean that RFCs 4301 and4306 do support the definition of peer specific policy for IKE_SAs?

The PAD not only says how to authenticate an IKE peer, it alsoprovides a way to restrict the range of IDs or addresses asserted bythe peer when the SPD is searched for a matching policy. In thatsense there is a notion of peer-specific policies, but for child SAs,not for IKE SAs.


Steve

_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Negotiating IKE_SAs
  - From: David Wierbowski

Prev by Date: Re:
Next by Date: Less weight - more pleasure and joy
Previous by thread: Re: [Ipsec] Negotiating IKE_SAs
Next by thread: Re: [Ipsec] Negotiating IKE_SAs
Index(es):
- Date
- Thread