[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue# 3-Policy Discovery

To: "Angelos D. Keromytis" <angelos@xxxxxxxxxxxxxxxxx>
Subject: Re: Issue# 3-Policy Discovery
From: "Abdallah Rayhan" <arayhan@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Aug 2000 17:28:40 -0400
Cc: ipsec-policy <ipsec-policy@xxxxxxxx>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Organization: Nortel Networks
References: <>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

"Angelos D. Keromytis" wrote:

> In message <399C3D6E.765D87C9@xxxxxxxxxxxxxxxxxx>, "Abdallah Rayhan" writes:
> >
> >    1-Which policy are we trying to discover?
>
> Of gateways and the remote endpoint across a path to that endpoint.

[AR] I was talking about which policy in Issue#1!
To clarify, you could ask, do you support IPSec policy?
network policies? application X policy? etc...

>
>
> >    2-Does the policy discovery relate to
> >      gateway policies or inter-domain policies?
>
> Gateways implement (part of the) the policies of a particular domain, thus the
> two are indistinguishable for our purposes (except that we only need to
> consider the policy that applies to a specific gateway in a domain, not all the
> policies of all the gateways in a domain).

[AR] This is a server issue and servers define domain polices.
However, when high-level policies are deployed, then domain
policies and inter-domain policies gets interwinded and both relate
to the policies gateways enforce. We would serve the cause of
policy enforcement better if the mechanisms for policy discovery
are generic and extensible to other type of policies!

> >    3-Which policy service is supported by the
> >      gateway? e.g., IPSec, TLS, none, etc...
>
> This WG is focusing on IPsec. While we should make it possible to have other
> kinds of policies exchanged/expressed, it is outside our scope to define
> those policies.

[AR] I agree that other policies are outside the scope of the WG but
that should not prevent us from making a generic solution to handle
different type of policies!

> >    4-Can/should policy discovery be part of
> >      gateway discovery?
>
> It certainly can. Whether it should is another issue. One of my previous
> messages outlined some of the pros/cons of splitting the two processes.

[AR] I disagree. See my reply on issue#2!

> >    5-Can/should policy discovery be part of
> >      policy negotiation?
> >
> >    6-What is the state-relationship between policy
> >      discovery and policy negotiation?
>
> I'm not sure how you mean negotiation; if I set my security policy, I'll allow
> you to operate within its limitations, but I don't want to back off from
> those. Negotiation implies a mutual backoff from initially established
> conditions, which is not really applicable here.
>
> In any case, before you can do anything with policy, you certainly have to
> know about it. Was there something else you were asking ?

[AR] When making a proposal, you give several options if possible.
The receiver picks the one that fits its local policy. That is negotiation.
If the name does not reflect this process then resolution might do!

References:
- Re: Issue# 3-Policy Discovery
  - From: Angelos D. Keromytis

Prev by Date: Re: Issue# 2-Gateway Discovery
Next by Date: Re: IPSP topics
Previous by thread: Re: Issue# 3-Policy Discovery
Next by thread: Re: Issue# 3-Policy Discovery
Index(es):
- Date
- Thread