[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on ICPM IPProtocolEndpoint
Ricky, The IPProtocolEndpoint class is only used to represent the local
addresses. So, in your picture, yes, the left and right interfaces on SGW1
would be represented in the SGW1 implementation of the model as
IPProtocolEndpoint instances. In SGW1, the hosts on subnet 1, are not
directly represented; instead they are represented as a part of the packet
classification in the conditions (i.e., filters in the current model) as
sources and/or destinations for traffic. Regardless of whether the hosts
are running their own IKE services or not, the application of the rules in
SGW1 is specified in the conditions/filters by subnet addresses, address
ranges, specific host address, FQDNs, IDs, credential management authority
trust hierarchies, etc. and/or combinations thereof.
So, to clear up what I think is a little terminology problem, what we mean
when we say "Each SecurityAssociation object instance is scoped by the
IPProtocolEndpoint for which it provides protection" is that the SA (in
SWG1) is protecting traffic on the local address represented by the
IPProtocolEndpoint instance. The fact that the traffic source/sink on
subnet 1 is being "protected" by a tunnel between SGW1 and SGW2 is also true
but not our use of the term in this context.
Sorry for the confusion. If you can suggest some better words, we'll be
happy to make updates. Cheers, Lee
----- Original Message -----
From: "Ricky Charlet" <rcharlet@xxxxxxxxxxxx>
To: "Lee Rafalow" <rafalow@xxxxxxxxxxxxxxx>
Cc: <ipsec-policy@xxxxxxxx>; <wg-network@xxxxxxxx>
Sent: Tuesday, January 02, 2001 11:17 AM
Subject: Re: comments on ICPM IPProtocolEndpoint
> Lee Rafalow wrote:
> >
> > Ricky, I'm not sure I understand the problem so let me try to explain
the
> > relationships in the model.
> >
> > The IKEServiceForEndpoint association identifies the IPProtocolEndpoints
> > (local IP addresses, could be real or virtual interfaces) for which an
IKE
> > service provides negotiation services. (The IPProtocolEndpoint class
only
> > represents local addresses, remote addresses are represented in the
> > conditions/filters of the policy.) Those same local IPProtocolEndpoint
> > instances will have SAs (SecurityAssociationBindsTo) that protect
traffic on
> > the endpoints.
> >
> > Does that help or are we missing something? Cheers, Lee
> >
>
>
> Howdy,
>
> I get the feeling from your answer that you are describing a situation
> where a host is running its own IPsec service. I am asking a question
> about the situation where a group of hosts are protected by a security
> gateway running IPsec.
>
> --------
> | Host A | |
> | |---|
> ------- |
> -------- | ------- -------
> | Host B | |----| SGW 1 |--- INTERNET ----| SGW 2 |--- subnet 2
> | |---| ------- -------
> ------- |
> -------- |
> | Host C | |
> | |---|
> ------- |
> |
> subnet 1
>
> In this picture, SGW1 is protecting all of subnet1 on its left
> interface and is runnig IKE (peering with SGW2) on its right interface.
>
> My confusion with the DMTF model for representing policy is this: it
> implies that IPProtocolEndpoints on SGW1 will be the left and right
> interfaces only AND that these endpoints can be the ONLY endpoints being
> protected by an IPsec Policy. But here we would wish that the whole of
> subnet1 be protected by an IPsec Policy.
>
> In general, IPsec protected endpoints are defined by the IPsec
> selectors and do not have to be IP addresses hosted by 'this' system.
>
> --
> Ricky Charlet : Redcreek Communications : usa (510) 795-6903