[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Slightly higher level policy

To: HORMAN@xxxxxxxxxx, ipsec-policy@xxxxxxxx
Subject: RE: Slightly higher level policy
From: Man.M.Li@xxxxxxxxx
Date: Thu, 30 Nov 2000 16:52:22 -0600
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Do you mean for example, the same set of IPsec association attributes may be
used to set up multiple IPsec tunnels? In this case, the endpoints of the
tunnels and the filters used by each tunnel are different but the protection
suits are the same for all the tunnels.  

If this is the correct interpretation of your approach, it may be used by a
policy server internally to simplify policy definition. Specifically,
attributes of a structure are defined first. User then binds addresses and
filters to the structure.  The policy server translates the bindings into
device level policy and deploy it over devices. With the binding, the user
does not need to define the same structure again and again for IPsec
associations between different points. 


Man Li
Nokia 
5 Wayside Road, Burlington, MA 01803
man.m.li@xxxxxxxxx
phone 1-781-993-3923
GSM 1-781-492-2850 

-----Original Message-----
From: EXT Hilarie Orman [mailto:HORMAN@xxxxxxxxxx]
Sent: Wednesday, November 29, 2000 1:32 PM
To: ipsec-policy@xxxxxxxx
Subject: Slightly higher level policy


I would like to suggest a language-based approach to the problem
of specifying policy for collections of elements.  This is fairly generic,
and I'm curious to know if it duplicates other proposed methods.

The idea is that when filling in the attributes of a structure, you
can specify that some items are named but not yet bound.
For example, a collection of elements defined with identical
attributes but differing in their specific IP address would
use one data structure, but fill in the address as 
"$this_ip_address", which would make it a free variable 
of the element definition.

Each specific element would be defined with a reference
to the data structure and a specific IP address:

security_gateway(this_ip_address = 192.60.51.3)

There are well-known formal constructs for the binding rules
and evaluation of such languages.  They seem like a simple
extension of policy definitions.  Could they be applied usefully
to the IPSec Policy arena?

Hilarie

Prev by Date: Lady V: The Pleasure Pill for Women!
Next by Date: Re: Slightly higher level policy
Previous by thread: Re: Slightly higher level policy
Next by thread: Lady V: The Pleasure Pill for Women!
Index(es):
- Date
- Thread