[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on ICPM IPProtocolEndpoint
Lee Rafalow wrote:
>
> Ricky, I'm not sure I understand the problem so let me try to explain the
> relationships in the model.
>
> The IKEServiceForEndpoint association identifies the IPProtocolEndpoints
> (local IP addresses, could be real or virtual interfaces) for which an IKE
> service provides negotiation services. (The IPProtocolEndpoint class only
> represents local addresses, remote addresses are represented in the
> conditions/filters of the policy.) Those same local IPProtocolEndpoint
> instances will have SAs (SecurityAssociationBindsTo) that protect traffic on
> the endpoints.
>
> Does that help or are we missing something? Cheers, Lee
>
Howdy,
I get the feeling from your answer that you are describing a situation
where a host is running its own IPsec service. I am asking a question
about the situation where a group of hosts are protected by a security
gateway running IPsec.
--------
| Host A | |
| |---|
------- |
-------- | ------- -------
| Host B | |----| SGW 1 |--- INTERNET ----| SGW 2 |--- subnet 2
| |---| ------- -------
------- |
-------- |
| Host C | |
| |---|
------- |
|
subnet 1
In this picture, SGW1 is protecting all of subnet1 on its left
interface and is runnig IKE (peering with SGW2) on its right interface.
My confusion with the DMTF model for representing policy is this: it
implies that IPProtocolEndpoints on SGW1 will be the left and right
interfaces only AND that these endpoints can be the ONLY endpoints being
protected by an IPsec Policy. But here we would wish that the whole of
subnet1 be protected by an IPsec Policy.
In general, IPsec protected endpoints are defined by the IPsec
selectors and do not have to be IP addresses hosted by 'this' system.
--
Ricky Charlet : Redcreek Communications : usa (510) 795-6903