[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSP topics

To: "'Angelos D. Keromytis'" <angelos@xxxxxxxxxxxxxxxxx>
Subject: RE: IPSP topics
From: "Wang, Cliff " <CWang@xxxxxxxxxxxxxx>
Date: Fri, 18 Aug 2000 13:56:54 -0000
Cc: arayhan@xxxxxxxxxxxxxxxxxx, horman@xxxxxxxxxx, ipsec-policy@xxxxxxxx
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

I don't think we should label high level policy issues as a research 
project or a rat-hole. Think about this case:
A Bank would need to roll out a 2,000 node VPN network. Can you afford
to use an IT team to define per-node policy? You probably would need to
define a high level policy first, such as (just as a quick example):

Note type:
Headquarter Gateway
Regional Gateway
Branch node
Home office node
Mobile node

Data protection policy:
Banking Customer data protection
Corp sensitive data protection
Regular data protection

Authentication method:
Cert
Preshared
Kerbero
.....

Topology:
For a group of nodes, using fully meshed or
hub and spoke.
Gateway redundancy

Monitoring policy:
High    (such as every 30 sec)
Medium  (such as every 20 min) 
Low     (such as every 2 hour)

Box credential update policy
High
Medium
Low

and much more.

If you can define a high level of abstraction and then translate the
requirements
into per-node configuration and monitoring requirement, I think life will be
much
better for the people who really will deploy and use VPN.

It would be a nightmare to configure and manage the 2000 nodes on a per-node
basis.





-----Original Message-----
From: Angelos D. Keromytis [mailto:angelos@xxxxxxxxxxxxxxxxx]
Sent: Thursday, August 17, 2000 6:07 PM
To: CWang@xxxxxxxxxxxxxx; angelos@xxxxxxxxxxxxxxxxx
Cc: arayhan@xxxxxxxxxxxxxxxxxx; horman@xxxxxxxxxx; ipsec-policy@xxxxxxxx
Subject: RE: IPSP topics


I think the disconnect between high and low level policies has yet to be
demonstrated anywhere, whereas flexibility in dealing with different low
level devices is part of a number of products. This is not conclusive
evidence (and I can believe that if one were to think about it, they could
create a high-level and a low-level policy language/system that wouldn't
work well together).

However:            
a) IPSP started with and should remain focused on the issues it tried to
resolve; trying to expand the charter has resulted (in other WG) in no
work getting done.
b) The topic of high-level policies is vague enough, that it's not
well-suited
to the IETF; remember, we're not trying to do research, but apply already
known solutions to problems considered important. 
                                                 
In short, dealing with high-level policy issues in IPSP is what's commonly
refered to as a rat-hole :-)
-Angelos

Follow-Ups:
- Re: IPSP topics
  - From: Ari Huttunen
- Re: IPSP topics
  - From: Angelos D. Keromytis
- RE: IPSP topics
  - From: Arnold Jansen

Prev by Date: Re: IPSP topics
Next by Date: Re: Issue# 2-Gateway Discovery
Previous by thread: Re: IPSP topics
Next by thread: RE: IPSP topics
Index(es):
- Date
- Thread