At 11:41 AM +0200 2/8/10, Alper Yegin wrote:
Yoav,
When the IKEv2 responder offloads the Authentication, Authorization, and
Accounting (AAA) responsibilities to a centralized AAA server, it is no
longer in the business of figuring out who the peer is, if the peer is
really who it claims it is, what policies to apply to the peer. These are
the things handled by the AAA server, and communicated to the IKEv2
responder. "Policy" needs to be enforced by the IKEv2 responder, but the
policy is determined by and communicated to the responder by the AAA server.
Alper
AN IPsec implementation enforces access controls based on SPD
entries, creating SAD entries for approved traffic flows. I can
imagine that an AAA server may authenticate a user and advise the
IKE component of that action. But, there needs to be a way for IKE to
know what ID is being asserted and to use that in the SPD lookup. The
PAD normally governs such actions, so maybe the AAA server
is off loading part of that processing. It that clearly defined anywhere?
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
