|
Home > Archive > VPN > March 2006 > Proxy ID and RFC
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| pvsnmp@yahoo.com 2006-03-23, 8:53 pm |
| Hi,
Can someone tell me if the concept of proxyID in IKE Phase2 is from any
RFC? If yes, which one is it?
If No, who was the first vendor to come up with this idea??
Thanks and Regards,
Prashant
| |
| Stephen J. Bevan 2006-03-27, 7:53 am |
| pvsnmp@yahoo.com writes:
> Can someone tell me if the concept of proxyID in IKE Phase2 is from any
> RFC? If yes, which one is it?
The phrase "proxy ID" isn't explicitly used in the various IPsec
related RFCs. However, it was used by members of the the IPsec
mailing list and in various drafts of what became IPsec RFCs. For
example, the following section is taken from
draft-ietf-ipsec-isakmp-oakley-05.txt, section 5.6 titled "Phase 2-
Quick Mode" :-
If ISAKMP is acting as a proxy negotiator on behalf of another party
the identities of the parties MUST be passed as IDui and then IDur.
Local policy will dictate whether the proposals are acceptible for
the identities specified.
...
The proxy identities are used to identify and direct traffic
to the appropriate tunnel in cases where multiple tunnels exist
between two peers and also to allow for unique and shared SAs with
different granularities. Local policy will determine whether packets
which do not match the proxy information on which a tunnel was created
will be forwarded upon leaving the tunnel.
The language changed considerably by the time RFC 2408 and 2409 was
created and the above sections do not appear. The main references to
"proxy" left are in RFC 2408 section 4.1 :-
IDx is the identity payload for "x". x can be: "ii" or "ir"
for the ISAKMP initiator and responder, respectively, or x can
be: "ui", "ur" (when the ISAKMP daemon is a proxy negotiator),
for the user initiator and responder, respectively.
and RFC 2409 section 7.2 :-
The following payloads are exchanged in the first round of Quick Mode
with ISAKMP SA negotiation. In this hypothetical exchange, the ISAKMP
negotiators are proxies for other parties which have requested
authentication.
| |
| pvsnmp@yahoo.com 2006-03-27, 7:53 am |
| Hi,
Thanks a lot.
Regards,
Prashant
|
|
|
|
|