Re: Issue# 3-Policy Discovery

["Angelos D. Keromytis" <angelos@xxxxxxxxxxxxxxxxx>]

In message <399C3D6E.765D87C9@xxxxxxxxxxxxxxxxxx>, "Abdallah Rayhan" writes:
>
>    1-Which policy are we trying to discover?

Of gateways and the remote endpoint across a path to that endpoint.

>    2-Does the policy discovery relate to
>      gateway policies or inter-domain policies?

Gateways implement (part of the) the policies of a particular domain, thus the
two are indistinguishable for our purposes (except that we only need to
consider the policy that applies to a specific gateway in a domain, not all the
policies of all the gateways in a domain).

>    3-Which policy service is supported by the
>      gateway? e.g., IPSec, TLS, none, etc...

This WG is focusing on IPsec. While we should make it possible to have other
kinds of policies exchanged/expressed, it is outside our scope to define
those policies.

>    4-Can/should policy discovery be part of
>      gateway discovery?

It certainly can. Whether it should is another issue. One of my previous
messages outlined some of the pros/cons of splitting the two processes.

>    5-Can/should policy discovery be part of
>      policy negotiation?
>
>    6-What is the state-relationship between policy
>      discovery and policy negotiation?

I'm not sure how you mean negotiation; if I set my security policy, I'll allow
you to operate within its limitations, but I don't want to back off from
those. Negotiation implies a mutual backoff from initially established
conditions, which is not really applicable here.

In any case, before you can do anything with policy, you certainly have to
know about it. Was there something else you were asking ?
-Angelos