[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue# 2-Gateway Discovery
> 1-What is the purpose of the gateway discovery?
> In other words, which policy issue should the
> gateway discovery help to resolve?
In order to correctly resolve policies to use, it is necessary
to know all the players involved. Without knowing all the players
involved, all the applicable policies cannot be known, so the
correct policy resolution may not be able to be done.
For example host A and host B would like to communicate. They
both have policies that require authentication to communicate.
Both their policies prefer to use ESP, but will fall back to
using AH, if necessary. They do not know of any gateways between
them. However there is a gateway between them that allows AH
protected communications, but not ESP communications. In order
to tell A & B they should use AH, the presence of the gateway
must be detected and its policy included in the resolution
process.
> 2-What are we discovering? gateway IP address?
> and/or credentials?, policy domains?
> 3-What else to discover during this phase?
We need to discover who will be participating in the policy
distribution and resolution process. So, likely it will be
the policy server, unless the architecture dramatically changes.
Credentials will be needed. Whether or not they are retrieved
during the discovery process is proabalby debatable
> 4-During the course of discovery, who should
> learn the topology? The initiator? All gateways
> the discovery message traverses? Border gateways?
I don't think each policy server should need to know more than the
end-points of the communication and the policy server (or gateway)
on either side of it.
> 5-How can authentication and privacy be utilized
> to ensure that the topology information is read
> only by the intended gateways?
Depends a lot on the answer to 4...
> 6-Is discovery end-to-end (only the two endpoints
> enforcing policy should learn about each other)
> or end-to-many (one endpoint enforcing policy should
> learn about all the enforcement points along the
> path to the destination endpoint of policy)?
> 7-Should the discovery signaling be direct
> signaling (the initiator discovers one gateway
> at a time) or perform Add-in discovery (one
> message traverses all gateways along the path
> and each one adds in its information to the
> end of the reply message)?
See 9.
> 8-Can/should policy discovery be part of the
> gateway discovery?
Can - definitely. SPP proves that.
Should - I believe so. See 9.
> 9-What is the state-relationship between the gateway
> discovery and policy discovery?
Policy server discovery is only needed to get the relevent policies
from a server. The knowledge of the servers or gateways is not
needed outside of the policy. Server C doesn't need to know
about Servers A or E unless there is a tunnel from A to E that it
needs to decide whether or not to permit.
I believe policy and server discovery should be combined. If
combined, when discovering servers, no topology information about the
servers need to be collected beyond what's in the policy. Topology
information would only be needed if the two were separated so that
the policy could be collected from known policy points instead of
as they were being discovered.
That said, however, there is a drawback to not collecting the policy
information. One thing SPP has tried to do is allow for general
tunnel endpoints to be defined (e.g. a gateway in my domain needs
to have an SA with a gateway in your domain.). This is much harder
without some topology information. This is an item that still
needs work.
> 10-Who should perform the discovery, servers or
> gateways?
Architecturally, the servers. The discovery is part of the
decision making. Since the policy servers do the decision making
discovery should happen there.
> 11-Based on the points raised above, what is the
> model for trus-relationship among gateways and
> servers?
I don't think they should trust each other any farther than
appropriately signed credentials permit.
Matt