[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue# 4-Policy Negotiation

To: ipsec-policy <ipsec-policy@xxxxxxxx>
Subject: Re: Issue# 4-Policy Negotiation
From: Matthew Condell <mcondell@xxxxxxx>
Date: 18 Aug 2000 14:30:06 -0000
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Reply-to: mcondell@xxxxxxx
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

>    3-Can/should policy discovery and negotiation
>      be merged into one phase?

Can - definitely.  See SPP.
Should - yes.

It is only possible to perform policy discovery when you know 
what communication will be traversing a particular gateway.
For a particular end-to-end communication, it may be different
at different gateways in the communication's path since each
gateway may add one or more new layers of tunnels to the 
communication.  Policy resolution determines what the communication
will look like at each gateway.  Therefore, at each gateway we
would like to perform a resolution step to determine what the
communication will look like, then a policy discovery step to
find the policy applicable to the communication that the gateway
will see.

>    4-How should negotiation be performed, the server
>      or the gateway?

The policy server's job is to make policy decisions.  Policy
resolution is a decision, so it should happen there.  Note, that the
distinction between a policy server and a gateway may just be an
architectural one.  There is nothing preventing an implementation from
combining the two.

Matt

Prev by Date: Re: Issue# 2-Gateway Discovery
Next by Date: RE: IPSP topics
Previous by thread: Issue# 4-Policy Negotiation
Next by thread: Issue# 5-Policy Distribution
Index(es):
- Date
- Thread