[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DMTF SAAction restriction

To: <ipsec-policy@xxxxxxx>, <Man.M.Li@xxxxxxxxx>
Subject: Re: DMTF SAAction restriction
From: "Hilarie Orman" <HORMAN@xxxxxxxxxx>
Date: Mon, 05 Feb 2001 10:29:57 -0700
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Superb question.  The specification for this kind of policy
 hasn't been defined yet, although the drafts do cover the 
problem.

In practice, I think most implementations assume that
there is a gateway D in A's security domain, and that
the C<->D policy is specificied and enforced at those
gateways.

Of course, the symmetry isn't required.  Consider two cases:

1. The system adminstrators know the topology and
policy in advance.
2. A learns about C dynamically, in the course of
trying to contact host B.

The security gateway discover protocol is supposed
to cover the second case.  This leaves open the question
of how to specify the policy at C, and how A is supposed
to be configured wrt C.

We seem to need a higher level policy that expresses
requirements for composed SA's.  Something like
"the A<->B policies can/must be used with
A<->C gateway policy" and "gateway policies must
be tried before non-gateway policies".

If there are more than two layers of gateway, I'm not
sure that the simple rules cover all the cases.  John Zao
might be able to help formulate sensible coverage
rules for this specification.  John?  Are you listening?

Hilarie

>>> <Man.M.Li@xxxxxxxxx> 02/05/01 08:16AM >>>
Hi,

The DMTF policy model Section 3 first paragraph indicates "The IPsec model
restricts the use of SAActions to an ordered choice rather than a list of
actions to be executed." I am wondering how the following situation would be
handled with this restriction. We had similar discussions among IPsec PIB
authors.

       A (host)===========C(gateway)---B(host)

A and C are connected to public Internet and B is connected to C. To protect
TCP traffic between hosts A and B, an IPsec security association in
transport mode needs to be established between hosts A and B. In addition,
an IPsec security association in tunnel mode may be set up between host A
and the gateway C that protects the LAN host B resides.

In this case, A takes one action to set up an association between A and B.
In addition, A should also set up a tunnel between A and C. From A's point
of view, there are MULTIPLE actions to be taken in that order.

How would you specify a policy to A if you are not allowed to specify a list
of actions to be executed? 


Man Li
Nokia 
5 Wayside Road, Burlington, MA 01803
man.m.li@xxxxxxxxx 
phone 1-781-993-3923
GSM 1-781-492-2850

Prev by Date: RE: DMTF SAAction restriction
Next by Date: RE: DMTF SAAction restriction
Previous by thread: RE: DMTF SAAction restriction
Next by thread: RE: DMTF SAAction restriction
Index(es):
- Date
- Thread