[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Classification engine and IPSEC

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Classification engine and IPSEC
From: Srinivasa Addepalli <srao@xxxxxxxxxxxxx>
Date: Tue, 5 Mar 2002 12:34:33 -0800 (PST)
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Hi,
   There are some difficult protocols such as FTP, H.323, RTSP, SIP etc..
   These protocols have control connection and several data connections.
   Control connection uses standard service port. But data connections
   use ephemeral ports, which are negotiated during the control
   connection. For example, FTP data connection information goes 
   as part of 'PORT' command of control connection.

   IPSEC SPD policies can be defined based on transport selectors
   such as 'source' and 'dest' ports (ranges) along with IP addresses.

   We see requirement that all packets belonging to a flow
   (control and data connections ) should have same security properties.
   That is, only one IPSEC policy defined for the service and all
   child connections (data connections ) should also use the same
   policy. But, this requires interoperability as the other party also
   should treat this similar way. Today, we are solving this using
   proprietary mechanism and works only with our solutions. When working
   with other IPSEC solutions, data connections will follow the IPSEC
   policy list to get the new security properties.

   Do people see any requirement like this? If so, how do we solve
   this problem such that it is interoperable?

Regards
Srini
 

-- 
Srinivasa Rao Addepalli
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
USA
Ph: 408-844-0480 x317

Follow-Ups:
- Re: Classification engine and IPSEC
  - From: Ramana Yarlagadda

Prev by Date: RE: NAT Traversal
Next by Date: RE: Towards closure on NAT traversal.
Previous by thread: ICON2002 - Call-For-Papers Deadline Extension
Next by thread: Re: Classification engine and IPSEC
Index(es):
- Date
- Thread