IPSP policy model: contidtions and actions

[Ricky Charlet <rcharlet@xxxxxxxxxxxx>]

Howdy,	

	I think that the IPSP policy model puts conditions in the wrong place. 
SAConditions are contained by SARules which are derived from the Policy 
Core Information Model's Policy Rule. The problem I see here is that 
SAConditions are too specific to IPsec. I would rather see a model which 
sets up generic conditions to classify packets. Once a packet is classify 
by generalized conditions, then various actions (ie. ipsec, qos, nat,...) 
could be applied in a list of actions.

	Now, to do this would require tremendous coordination between all groups 
who might have an interest in packet classification. We know that right 
now, the qos and ipsec ways of modeling conditions or filters or are 
disjoint. So I am making a recommendation which will require a good bit of 
cross WG work and might perhaps move slowly.

	So what would be the benefit?

	If current trends hold, and each group who has an interest in classifying 
packets develops its own classification method, then we are very close to 
requiring that unnecessarily repetitive classification operations be done 
for each action which should be applied to the packet. It should be easy 
for us to envision examples where several actions (ipsec, qos, nat, 
firewall, ...) should be applied to the same packet. We should obviously 
strive to classify the packet once in implementations.

	Now, I said  ' very close to requiring' . I guess that even if different 
groups do invent different models of how to do classification, that does 
not necessarily mean that implementations must actually do classifications 
differently. But it certainly would be a confusion situation.

Ricky Charlet
rcharlet@xxxxxxxxxxxx