The IPSec DOI

   

As mentioned, IKE defines how security parameters are negotiated and shared keys are established for other protocols. What it does not define is what to negotiate. That is up to a Domain of Interpretation (DOI) document. A DOI document defines many things: a naming scheme for DOI-specific protocol identifiers, the contents of the situation field of the ISAKMP SA payload, the attributes that IKE negotiates in a Quick Mode and any specific characteristics that IKE needs to convey. For instance, the IPSec DOI defines new fields in the ISAKMP ID payload in effect overloading it and new values of possible identities. This is necessary to convey selector information used to constrain the negotiated IPSec SAs.

The attributes defined in the IPSec DOI are those required to be part of an IPSec SA. Separate attribute spaces for AH and ESP are not necessary since the proposal and transform payloads in ISAKMP already allow for separate specification of the protocol. The DOI need merely define what the various protocols are that can be negotiated in its DOI in the case of IPSec, it's AH, ESP and the attributes necessary. Any DOI that uses IKE must designate the IKE document as the source for attribute information when negotiating in phase 1. The IPSec DOI is no different.


   
Top


IPSec(c) The New Security Standard for the Internet, Intranets, and Virtual Private Networks
IPSec (2nd Edition)
ISBN: 013046189X
EAN: 2147483647
Year: 2004
Pages: 76

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net