[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

High-Level Policy (Re: Issue# 1-Security Policy Definition)

To: "ipsec-policy" <ipsec-policy@xxxxxxxx>
Subject: High-Level Policy (Re: Issue# 1-Security Policy Definition)
From: "Lee Rafalow" <rafalow@xxxxxxxxxxxxxxx>
Date: Fri, 18 Aug 2000 09:21:07 -0400
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

>   4-Providing low-level policy infrastructure to
>     facilitate installing network (high-level) policies
>     into network devices? In this case, what is the
>     difference between the two? e.g, provisioning,
>     and how to map the two?

Since there appears to be interest and some believe that it is a
prerequisite to be able to configure policies within a domain before one can
negotiate policies between domains, let's not debate the charter for a
moment.

The policy abstractions are a little vague but I don't believe they're so
vague as to make the problem of domain configuration a research activity.
The problem is one of context.

The current work being documented in Jamie's draft is in the context of a
device.  That is, it is an information model that expresses the IKE
negotiation policies in the context of and for consumption by a policy
enforcement point.  The policies are expressed in association with specific
interfaces, peer gateways, etc.  We have tried to isolate that
context-specific information so as to make the bulk of the model general.

To move this information model up an abstraction layer so as to be useful
for expressing the policies in the context of an administrative domain
would, I believe, require:

1. defining the representation of service classes (e.g., DOD security
classifications);
2. defining the representation of sets of subjects, targets and gateways
probably including defining the applicability of policy roles to IKE
policies; and
3. understanding the policy decision point translation function between the
network-level context and the device-level context.

Admittedly, this is a little vague, but I think it's a reasonable starting
point.  Others?

Now to the question of the charter:

"1) Specify a repository-independent Information Model and
repository-specific Data Model for supporting IP security Policies. These
models preferrably derive from the Information Model and the Data Model as
defined in the Policy Framework WG."

It doesn't say anything about the abstraction level.  Jamie chose to work on
the device-level (and bottom-up is a very reasonable approach) but if
there's significant interest in domain-level, imho, this can easily be read
to include or be adapted to explicitly include that work.

Cheers, Lee

Lee M. Rafalow
Voice: 1-919-254-4455; Fax: 1-919-254-6243
IBM Internet Technology Management
IBM Corporation
P.O. Box 12195, BRQA/502
RTP, NC 27709 USA
Alternate email: rafalow@xxxxxxxxxx
Home email: rafalow@xxxxxxxxxxxxxx

References:
- Re: Issue# 1-Security Policy Definition
  - From: Angelos D. Keromytis

Prev by Date: Re: Issue# 3-Policy Discovery
Next by Date: Re: IPSP topics
Previous by thread: Re: Issue# 1-Security Policy Definition
Next by thread: Re: Issue# 1-Security Policy Definition
Index(es):
- Date
- Thread