Skip to main content

4.4.3.1. PAD Entry IDs and Matching Rules

PAD Ordering

The PAD is an ordered database, where the order is defined by an administrator (or a user in the case of a single-user end system). Usually, the same administrator will be responsible for both the PAD and SPD, since the two databases must be coordinated.

The ordering requirement for the PAD arises for the same reason as for the SPD, i.e., because use of "star name" entries allows for overlaps in the set of IKE IDs that could match a specific entry.

Six Supported ID Types

Six types of IDs are supported for entries in the PAD, consistent with the symbolic name types and IP addresses used to identify SPD entries. The ID for each entry acts as the index for the PAD, i.e., it is the value used to select an entry. All of these ID types can be used to match IKE ID payload types.

The six types are:

  • DNS name (specific or partial)
  • Distinguished Name (complete or sub-tree constrained)
  • RFC 822 email address (complete or partially qualified)
  • IPv4 address (range)
  • IPv6 address (range)
  • Key ID (exact match only)

Sub-Tree Matching

DNS Names

The first three name types can accommodate sub-tree matching as well as exact matches. A DNS name may be fully qualified and thus match exactly one name, e.g., foo.example.com. Alternatively, the name may encompass a group of peers by being partially specified, e.g., the string .example.com could be used to match any DNS name ending in these two domain name components.

Distinguished Names

Similarly, a Distinguished Name may specify a complete Distinguished Name to match exactly one entry, e.g., CN = Stephen, O = BBN Technologies, SP = MA, C = US. Alternatively, an entry may encompass a group of peers by specifying a sub-tree, e.g., an entry of the form C = US, SP = MA might be used to match all DNs that contain these two attributes as the top two Relative Distinguished Names (RDNs).

RFC 822 Email Addresses

For an RFC 822 e-mail addresses, the same options exist. A complete address such as [email protected] matches one entity, but a sub-tree name such as @example.com could be used to match all the entities with names ending in those two domain names to the right of the @.

Implementation Requirements

The specific syntax used by an implementation to accommodate sub-tree matching for distinguished names, domain names or RFC 822 e-mail addresses is a local matter. But, at a minimum, sub-tree matching of the sort described above MUST be supported. (Substring matching within a DN, DNS name, or RFC 822 address MAY be supported, but is not required.)

IP Address Ranges

For IPv4 and IPv6 addresses, the same address range syntax used for SPD entries MUST be supported. This allows specification of:

  • An individual address (via a trivial range)
  • An address prefix (by choosing a range that adheres to Classless Inter-Domain Routing (CIDR)-style prefixes)
  • An arbitrary address range

Key ID

The Key ID field is defined as an OCTET string in IKE. For this name type, only exact-match syntax MUST be supported (since there is no explicit structure for this ID type). Additional matching functions MAY be supported for this ID type.

Last updated on