[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DMTF SAAction restriction

To: ipsec-policy@xxxxxxx
Subject: DMTF SAAction restriction
From: Man.M.Li@xxxxxxxxx
Date: Mon, 5 Feb 2001 09:16:18 -0600
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Hi,

The DMTF policy model Section 3 first paragraph indicates "The IPsec model
restricts the use of SAActions to an ordered choice rather than a list of
actions to be executed." I am wondering how the following situation would be
handled with this restriction. We had similar discussions among IPsec PIB
authors.

       A (host)===========C(gateway)---B(host)

A and C are connected to public Internet and B is connected to C. To protect
TCP traffic between hosts A and B, an IPsec security association in
transport mode needs to be established between hosts A and B. In addition,
an IPsec security association in tunnel mode may be set up between host A
and the gateway C that protects the LAN host B resides.

In this case, A takes one action to set up an association between A and B.
In addition, A should also set up a tunnel between A and C. From A's point
of view, there are MULTIPLE actions to be taken in that order.

How would you specify a policy to A if you are not allowed to specify a list
of actions to be executed? 


Man Li
Nokia 
5 Wayside Road, Burlington, MA 01803
man.m.li@xxxxxxxxx
phone 1-781-993-3923
GSM 1-781-492-2850

Prev by Date: I could go to JAIL for selling this CD!
Next by Date: RE: DMTF SAAction restriction
Previous by thread: I could go to JAIL for selling this CD!
Next by thread: RE: DMTF SAAction restriction
Index(es):
- Date
- Thread