From owner-ipsec-policy@mail.vpnc.org Fri Aug 20 17:20:47 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA14688 for ; Fri, 20 Aug 2004 17:20:47 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KKdVi6083251; Fri, 20 Aug 2004 13:39:31 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7KKdVBl083250; Fri, 20 Aug 2004 13:39:31 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mail.cipheroptics.com (mx1.cipheroptics.com [66.152.60.101]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KKdUep083229 for ; Fri, 20 Aug 2004 13:39:30 -0700 (PDT) (envelope-from caseyc@cipheroptics.com) Received: from cipheroptics.com ([192.168.1.181] RDNS failed) by mail.cipheroptics.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 20 Aug 2004 16:39:20 -0400 Message-ID: <41266178.3070908@cipheroptics.com> Date: Fri, 20 Aug 2004 16:39:20 -0400 From: Casey Carr User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipsec-policy@vpnc.org Subject: Credential Filters Content-Type: multipart/alternative; boundary="------------010804050400050209000903" X-OriginalArrivalTime: 20 Aug 2004 20:39:20.0779 (UTC) FILETIME=[C54269B0:01C486F5] Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. --------------010804050400050209000903 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit What is the defined mechanism in the IPSec policy model to handle the following use case? We have a running implementation of the IPSec policy model and we have hit a use case that I can't seem to resolve with the model. Any assistance would be appreciated. Here is the use case in end user terms. It is a remote access application where user connects via his workstation to an IPSec gateway with using an IPSec client on the workstation. The gateway must be configured to allow access using this criteria. 1) The user can be dynamically assigned any IP address. 2) The user is assumed to have an X509 certificates confiigured in his IPSec client. 3) The gateway must be configured identify the end user during the IKE negotiation such that the X509 certificate must contain contain both a issuer and subject name that matches criteria in the SPD entry in the gateway. The catch is that the X509 issuer/subject name can match any entry in a match set list. Ex: Issuer/Subject Name can be any one of the following: 1) Issued To: CN=MyCompName,O=Eng Issued By : CN=MyCompCA, O=Network Security OR 1) Issued To: CN=YourCompName,O=Eng Issued By : CN=YourCompCA, O=Network Security OR You get the picture My review of rfc3585 and the CIM_Network25.mof lead me to the conclusion that this is not possible with the model. Making the entry sequence value=0, would mean that we should AND all the CredentailFilter instances. If the enty sequence values are non-zero is means that the CredentialFilters are ORed. Since the CredentialFilter has attributes of MatchFieldName and MatchFieldValue it would take two CredentialFilter instances to define a match for a issuer AND a subject name. What am I missing? Casey --------------010804050400050209000903 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit What is the defined mechanism in the IPSec policy model to handle the following use case?

We have a running implementation of the IPSec policy model and we have hit a use case that I can't seem to resolve with the model.  Any assistance would be appreciated. Here is the use case in end user terms. 

It is a remote access application where user connects via his workstation to an IPSec gateway with using an IPSec client on the workstation. The gateway must be configured to allow access using this criteria.

1)  The user can be dynamically assigned any IP address.
2) The user is assumed to have an X509 certificates confiigured in his IPSec client.
3) The gateway must be configured identify the end user during the IKE negotiation such that the X509 certificate must contain contain both a issuer and subject name that matches criteria in the SPD entry in the gateway.  The catch is that the X509 issuer/subject name can match any entry in a  match set list. 
Ex:  Issuer/Subject Name can be any one of the following:
 1) Issued To: CN=MyCompName,O=Eng
     Issued By : CN=MyCompCA, O=Network Security

OR

 1) Issued To: CN=YourCompName,O=Eng
     Issued By : CN=YourCompCA, O=Network Security

OR
   You get the picture


My review of  rfc3585 and the CIM_Network25.mof lead me to the conclusion that this is not possible with the model.  Making the entry sequence value=0, would mean that we should AND all the CredentailFilter  instances.  If the enty sequence values are non-zero is means that the CredentialFilters are ORed.  Since the CredentialFilter has attributes of  MatchFieldName and MatchFieldValue it would take two CredentialFilter instances to define a match for a issuer AND a subject name. 

What am I missing?

Casey

--------------010804050400050209000903--