home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.dcom.vpn      VPN protocols, clients, awesomeness      2,348 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 1,950 of 2,348   
   Stephen J. Bevan to pvsnmp@yahoo.com   
   Re: Proxy ID and RFC   
   27 Mar 06 01:53:44   
   
   From: stephen@dino.dnsalias.com   
      
   pvsnmp@yahoo.com writes:   
   > Can someone tell me if the concept of proxyID in IKE Phase2 is from any   
   > RFC? If yes, which one is it?   
      
   The phrase "proxy ID" isn't explicitly used in the various IPsec   
   related RFCs.  However, it was used by members of the the IPsec   
   mailing list and in various drafts of what became IPsec RFCs.  For   
   example, the following section is taken from   
   draft-ietf-ipsec-isakmp-oakley-05.txt, section 5.6 titled "Phase 2-   
   Quick Mode" :-   
      
     If ISAKMP is acting as a proxy negotiator on behalf of another party   
     the identities of the parties MUST be passed as IDui and then IDur.   
     Local policy will dictate whether the proposals are acceptible for   
     the identities specified.   
      
     ...   
      
     The proxy identities are used to identify and direct traffic   
     to the appropriate tunnel in cases where multiple tunnels exist   
     between two peers and also to allow for unique and shared SAs with   
     different granularities. Local policy will determine whether packets   
     which do not match the proxy information on which a tunnel was created   
     will be forwarded upon leaving the tunnel.   
      
   The language changed considerably by the time RFC 2408 and 2409 was   
   created and the above sections do not appear.  The main references to   
   "proxy" left are in RFC 2408 section 4.1 :-   
      
        IDx is the identity payload for "x". x can be: "ii" or "ir"   
             for the ISAKMP initiator and responder, respectively, or x can   
             be: "ui", "ur" (when the ISAKMP daemon is a proxy negotiator),   
             for the user initiator and responder, respectively.   
      
   and RFC 2409 section 7.2 :-   
      
      The following payloads are exchanged in the first round of Quick Mode   
      with ISAKMP SA negotiation. In this hypothetical exchange, the ISAKMP   
      negotiators are proxies for other parties which have requested   
      authentication.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca