[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Slightly higher level policy

To: <ipsec-policy@xxxxxxxx>
Subject: Slightly higher level policy
From: "Hilarie Orman" <HORMAN@xxxxxxxxxx>
Date: Wed, 29 Nov 2000 11:32:05 -0700
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

I would like to suggest a language-based approach to the problem
of specifying policy for collections of elements.  This is fairly generic,
and I'm curious to know if it duplicates other proposed methods.

The idea is that when filling in the attributes of a structure, you
can specify that some items are named but not yet bound.
For example, a collection of elements defined with identical
attributes but differing in their specific IP address would
use one data structure, but fill in the address as 
"$this_ip_address", which would make it a free variable 
of the element definition.

Each specific element would be defined with a reference
to the data structure and a specific IP address:

security_gateway(this_ip_address = 192.60.51.3)

There are well-known formal constructs for the binding rules
and evaluation of such languages.  They seem like a simple
extension of policy definitions.  Could they be applied usefully
to the IPSec Policy arena?

Hilarie

Follow-Ups:
- Re: Slightly higher level policy
  - From: Lee Rafalow

Prev by Date: I-D ACTION:draft-ietf-ipsp-ipsecpib-01.txt
Next by Date: Lady V: The Pleasure Pill for Women!
Previous by thread: I-D ACTION:draft-ietf-ipsp-ipsecpib-01.txt
Next by thread: Re: Slightly higher level policy
Index(es):
- Date
- Thread