[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsecAction granularity

To: <ipsec-policy@xxxxxxxx>
Subject: Re: IPsecAction granularity
From: "Lee Rafalow" <rafalow@xxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2001 10:46:24 -0500
Cc: "tm-ipsec" <tm-ipsec@xxxxxxxxxxxxxxxxxx>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Ricky, Here's the reasoning for its location in the model.

The conditions (filters) are used to determine which rule applies to a
packet (for which there's currently no SA).  As with other action
properties, the granularity is used to determine how to negotiate and build
the SA.  In this case, the granularity is used (in conjunction with the
filters) to determine the selector for a given IPsec SA.

So, the same rule can be evaluated (i.e., filter) and yield different
selectors.

IHTH.  Lee

----- Original Message -----
From: "Ricky Charlet" <rcharlet@xxxxxxxxxxxx>
To: ".ipsec-policy" <ipsec-policy@xxxxxxxx>
Sent: Tuesday, January 09, 2001 7:30 PM
Subject: ICIM: IPsecAction granularity


> Howdy,
>
> I dislike the granularity property of IPsecActions. It purports to be
> controlling whether subnet mask, or protocol, or port fields should be
> wild-carded in SA Proposals. And this makes the granularity property
> part of a selector. I think any property of a selector should be over on
> the Filter Entry side and not in an IPsecAction.
>
>
> --
>   Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903

References:
- ICIM: IPsecAction granularity
  - From: Ricky Charlet

Prev by Date: RE: ICIM: comment on IPsecPolicyGroup
Next by Date: ICIM: need a way to filter certs from peers
Previous by thread: ICIM: IPsecAction granularity
Next by thread: ICIM: comment on IPsecPolicyGroup
Index(es):
- Date
- Thread