[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on ICPM IPProtocolEndpoint
Howdy,
see my comments at bottom...
Lee Rafalow wrote:
>
> Ricky, The IPProtocolEndpoint class is only used to represent the local
> addresses. So, in your picture, yes, the left and right interfaces on SGW1
> would be represented in the SGW1 implementation of the model as
> IPProtocolEndpoint instances. In SGW1, the hosts on subnet 1, are not
> directly represented; instead they are represented as a part of the packet
> classification in the conditions (i.e., filters in the current model) as
> sources and/or destinations for traffic. Regardless of whether the hosts
> are running their own IKE services or not, the application of the rules in
> SGW1 is specified in the conditions/filters by subnet addresses, address
> ranges, specific host address, FQDNs, IDs, credential management authority
> trust hierarchies, etc. and/or combinations thereof.
>
> So, to clear up what I think is a little terminology problem, what we mean
> when we say "Each SecurityAssociation object instance is scoped by the
> IPProtocolEndpoint for which it provides protection" is that the SA (in
> SWG1) is protecting traffic on the local address represented by the
> IPProtocolEndpoint instance. The fact that the traffic source/sink on
> subnet 1 is being "protected" by a tunnel between SGW1 and SGW2 is also true
> but not our use of the term in this context.
>
> Sorry for the confusion. If you can suggest some better words, we'll be
> happy to make updates. Cheers, Lee
>
> ----- Original Message -----
> From: "Ricky Charlet" <rcharlet@xxxxxxxxxxxx>
> To: "Lee Rafalow" <rafalow@xxxxxxxxxxxxxxx>
> Cc: <ipsec-policy@xxxxxxxx>; <wg-network@xxxxxxxx>
> Sent: Tuesday, January 02, 2001 11:17 AM
> Subject: Re: comments on ICPM IPProtocolEndpoint
>
> > Lee Rafalow wrote:
> > >
> > > Ricky, I'm not sure I understand the problem so let me try to explain
> the
> > > relationships in the model.
> > >
> > > The IKEServiceForEndpoint association identifies the IPProtocolEndpoints
> > > (local IP addresses, could be real or virtual interfaces) for which an
> IKE
> > > service provides negotiation services. (The IPProtocolEndpoint class
> only
> > > represents local addresses, remote addresses are represented in the
> > > conditions/filters of the policy.) Those same local IPProtocolEndpoint
> > > instances will have SAs (SecurityAssociationBindsTo) that protect
> traffic on
> > > the endpoints.
> > >
> > > Does that help or are we missing something? Cheers, Lee
> > >
> >
> >
> > Howdy,
> >
> > I get the feeling from your answer that you are describing a situation
> > where a host is running its own IPsec service. I am asking a question
> > about the situation where a group of hosts are protected by a security
> > gateway running IPsec.
> >
> > --------
> > | Host A | |
> > | |---|
> > ------- |
> > -------- | ------- -------
> > | Host B | |----| SGW 1 |--- INTERNET ----| SGW 2 |--- subnet 2
> > | |---| ------- -------
> > ------- |
> > -------- |
> > | Host C | |
> > | |---|
> > ------- |
> > |
> > subnet 1
> >
> > In this picture, SGW1 is protecting all of subnet1 on its left
> > interface and is runnig IKE (peering with SGW2) on its right interface.
> >
> > My confusion with the DMTF model for representing policy is this: it
> > implies that IPProtocolEndpoints on SGW1 will be the left and right
> > interfaces only AND that these endpoints can be the ONLY endpoints being
> > protected by an IPsec Policy. But here we would wish that the whole of
> > subnet1 be protected by an IPsec Policy.
> >
> > In general, IPsec protected endpoints are defined by the IPsec
> > selectors and do not have to be IP addresses hosted by 'this' system.
> >
> > --
> > Ricky Charlet : Redcreek Communications : usa (510) 795-6903
OK,
First off, I'm glad to discover that packet selectors for IPsec
processing can be more than just an IP address on 'this' device. I
miss-read the document. The root of my misunderstanding was in
pre-concieved notions of what the word endpoint might mean.
But now, here is the sentence that tripped me up and my suggestion
about how I could have been helped by other language:
from DMTF White Paper on IPsec Policy MOdel version 0.82 section 2:
"Each IP address hosted by a system is represented by the
IPProtocolEndpoint class, and instances of this class can be associated
with an IKE service that provides IKE negotiation services for the
address, an IPsec policy for use in negotiations for the address, and a
set of IKE and/or IPsec security associations that are protecting
traffic on that address. The policy for an endpoint is represneted by
the class IPsecPolicyGroup, which contains a set of policy rules and/or
nested policy groups."
I suggest a name change from IPProtocolEndpoint to IPInterface. And
then language like:
"Each IP address hosted by a system is represented by the IPInterface
class. Intances of IPInterface can be associated with an IKE policy, an
IPsec Policy, and a set of currently instantiated IKE and/or IPsec
security associations. The policy enforeced at an IPInterface is
represented by the class IPsecPolicyGroup..."
Wether or not you agree with the terminology change (and I don't
strongly care) I do strongly urge that you drop the phrase "that are
protecting traffic on that address" which was what caused me the most
confusion. So if we do not do the terminology change, the sentences
would read:
"Each IP address hosted by a system is represented by the
IPProtocolEndpoint class. Intances of IPProtocolEndpoint can be
associated with an IKE policy, an IPsec Policy, and a set of current IKE
and/or IPsec security associations. The policy enforced at an
IPProtocolEndpoint is represented by the class IPsecPolicyGroup..."
--
Ricky Charlet : Redcreek Communications : usa (510) 795-6903