[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue# 2-Gateway Discovery

To: mcondell@xxxxxxx
Subject: Re: Issue# 2-Gateway Discovery
From: "Abdallah Rayhan" <arayhan@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Aug 2000 17:26:05 -0400
Cc: ipsec-policy <ipsec-policy@xxxxxxxx>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Organization: Nortel Networks
References: <>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

See comments below!

Abdallah

Matthew Condell wrote:

> >    1-What is the purpose of the gateway discovery?
> >      In other words, which policy issue should the
> >      gateway discovery help to resolve?
>
> In order to correctly resolve policies to use, it is necessary
> to know all the players involved.  Without knowing all the players
> involved, all the applicable policies cannot be known, so the
> correct policy resolution may not be able to be done.
>
> For example host A and host B would like to communicate.  They
> both have policies that require authentication to communicate.
> Both their policies prefer to use ESP, but will fall back to
> using AH, if necessary.  They do not know of any gateways between
> them.  However there is a gateway between them that allows AH
> protected communications, but not ESP communications.  In order
> to tell A & B they should use AH, the presence of the gateway
> must be detected and its policy included in the resolution
> process.

[AR] Your example is about tunneling policies. I dont have a problem
with that but is this the whole purpose of discovery to figure out how
tunnels align? Or discovery gateways to provide a mechanism for
applications to interact with firewalls and inject pinholes to enable
such applications to run with less manual provisioning? I think that
gateway discovery has to do with tunneling policies, filtering policies
and network policies.

> >    2-What are we discovering? gateway IP address?
> >      and/or credentials?, policy domains?
> >    3-What else to discover during this phase?
>
> We need to discover who will be participating in the policy
> distribution and resolution process.  So, likely it will be
> the policy server, unless the architecture dramatically changes.
> Credentials will be needed.  Whether or not they are retrieved
> during the discovery process is proabalby debatable

[AR] Servers? How? servers are not in the signaling path of
flow. Gateways are! So for this to work the gateways have to
run in the proxy mode for the servers. Or extend DNS to allow
for server discovery! Either way, if I have the IP address of
a gateway, then I know that I can run whatever protocols we
come up with to resolve the policy issues but do I have that
to start with? and if I do, what else do I need to discover?

> >    4-During the course of discovery, who should
> >      learn the topology? The initiator? All gateways
> >      the discovery message traverses? Border gateways?
>
> I don't think each policy server should need to know more than the
> end-points of the communication and the policy server (or gateway)
> on either side of it.

[AR] If we dont need the topology, then why are discovering
gateways? The problem is to know the topology so the server
would be able to have a sound policy! It is not always the
case that you have two gateways at the endpoints of communication.
You might have a network architecture where there are 3 or 4
gateways along the path to challenge intruders. So having found
the first gateway, does not mean you wont be challenged by
the next one and you would have to go through the same
process of discovery again!

> >    5-How can authentication and privacy be utilized
> >      to ensure that the topology information is read
> >      only by the intended gateways?
>
> Depends a lot on the answer to 4...

[AR] While authentication and privacy may be waived
in certain circumstances it is a requirement in general
and whatever solution we come up with should resolve
this issue!

> >    6-Is discovery end-to-end (only the two endpoints
> >      enforcing policy should learn about each other)
> >      or end-to-many (one endpoint enforcing policy should
> >      learn about all the enforcement points along the
> >      path to the destination endpoint of policy)?
> >    7-Should the discovery signaling be direct
> >      signaling (the initiator discovers one gateway
> >      at a time) or perform Add-in discovery (one
> >      message traverses all gateways along the path
> >      and each one adds in its information to the
> >      end of the reply message)?
>
> See 9.
>
> >    8-Can/should policy discovery be part of the
> >      gateway discovery?
>
> Can - definitely.  SPP proves that.
> Should - I believe so.  See 9.

[AR] I disagree. The problem is policy protection! In some
circumstances you may not require protection because
dont care or other mechanisms already exist. But if discovery
is to stand alone which is most probably the way to go,
protection is something that is going to be mandatory.
During the gateway discovery phase, you have to give
up something to learn the topology. But I am not willing to
risk my policy requests being jeopardized because they
must be part of the gateway discovery phase!

SPP has its own problems and we need to draw a solution
from the requirements and not draw the requirements from
a particular solution!

> >    9-What is the state-relationship between the gateway
> >      discovery and policy discovery?
>
> Policy server discovery is only needed to get the relevent policies
> from a server.  The knowledge of the servers or gateways is not
> needed outside of the policy.   Server C doesn't need to know
> about Servers A or E unless there is a tunnel from A to E that it
> needs to decide whether or not to permit.
>
> I believe policy and server discovery should be combined.  If
> combined, when discovering servers, no topology information about the
> servers need to be collected beyond what's in the policy.  Topology
> information would only be needed if the two were separated so that
> the policy could be collected from known policy points instead of
> as they were being discovered.
>
> That said, however, there is a drawback to not collecting the policy
> information.  One thing SPP has tried to do is allow for general
> tunnel endpoints to be defined (e.g.  a gateway in my domain needs
> to have an SA with a gateway in your domain.).  This is much harder
> without some topology information.  This is an item that still

> needs work.

[AR] Now we are talking about server discovery. That is something new!
If gateway discovery and policy discovery are two different things
then there must be some state-relationship between the two phases.
You can not escape topology and policy must be protected.

> >   10-Who should perform the discovery, servers or
> >      gateways?
>
> Architecturally, the servers.  The discovery is part of the
> decision making.  Since the policy servers do the decision making
> discovery should happen there.

[AR] Read my comment on #3.

> >   11-Based on the points raised above, what is the
> >      model for trus-relationship among gateways and
> >      servers?
>
> I don't think they should trust each other any farther than
> appropriately signed credentials permit.

[AR] If my ISP and your ISP have an SLA agreement in regards
to outsourcing but each one implements different policy, then
there is a trust-relationship between the two. The question becomes
how do we define this? To implement the policy you would need
to go through discovery process and resolve the differences.

References:
- Re: Issue# 2-Gateway Discovery
  - From: Matthew Condell

Prev by Date: Re: Issue# 1-Security Policy Definition
Next by Date: Re: Issue# 3-Policy Discovery
Previous by thread: Re: Issue# 2-Gateway Discovery
Next by thread: Re: Issue# 2-Gateway Discovery
Index(es):
- Date
- Thread