4.4.3.3. Child SA Authorization Data

Once an IKE peer is authenticated, child SAs may be created. Each PAD entry contains data to constrain the set of IDs that can be asserted by an IKE peer, for matching against the SPD. Each PAD entry indicates whether the IKE ID is to be used as a symbolic name for SPD matching, or whether an IP address asserted in a traffic selector payload is to be used.

Authorization Methods

Using IKE ID

If the entry indicates that the IKE ID is to be used, then the PAD entry ID field defines the authorized set of IDs.

Using Traffic Selector IP Addresses

If the entry indicates that child SAs traffic selectors are to be used, then an additional data element is required, in the form of IPv4 and/or IPv6 address ranges. (A peer may be authorized for both address types, so there MUST be provision for both a v4 and a v6 address range.)

Authorization Methods​

Using IKE ID​

Using Traffic Selector IP Addresses​

Authorization Methods

Using IKE ID

Using Traffic Selector IP Addresses