[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DMTF SAAction restriction

To: "Wang, Cliff" <CWang@xxxxxxxxxxxxxx>, ipsec-policy@xxxxxxx
Subject: RE: DMTF SAAction restriction
From: Eric Vyncke <evyncke@xxxxxxxxx>
Date: Tue, 06 Feb 2001 20:30:02 +0100
In-reply-to: <8E1E94178828D143B34A560A7A6F2C0B0199AC58@mailmaestro.smart pipes.com>
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

At 17:44 6/02/01 +0000, Wang, Cliff wrote:
>I am confused.....

Sorry for the confusion.

>First, for one data traffic pattern example in 2) below, 
>why we try 3 gateways? Are you talking about redundancy? 

In the attached example, I used redundancy design for simplicity
sake.

>In Man's example, we are
>talking about one tunnel nested in another one. Both tunnels
>need to be set up. The inside tunnel is between A and B. The 
>outside tunnel is between A and C. There is no trial and fail allowed. 
>
>I think that we are talking about different things.

This is indeed different. The redundancy example was using different
policies to be applied to one specific traffic until success. 

Nested tunnels is about applying simultaneously multiple policies with 
two different SArules:
1) one rule for IP traffic from host A to internal host B => transport mode
2) one rule for IP traffic from host A to all hosts protected by
security gateway C => tunnel mode

SARules must be ordered (usually you should put the transport mode rules
before the tunnel mode rules) so that rule 1) is first fired, generating
IKE/IPSec traffic which in turn fires rule 2).

NB: the scheme can be extended to cope with redundancy for the security
gateway ;-)

Hope this helps

-eric

>-----Original Message-----
>From: Eric Vyncke [mailto:evyncke@xxxxxxxxx]
>Sent: Tuesday, February 06, 2001 11:17 AM
>To: Man.M.Li@xxxxxxxxx; ipsec-policy@xxxxxxx
>Subject: RE: DMTF SAAction restriction
>
>
>We talked about different things:
>
>1) when ISAKMP is trying to build a SA, it sends multiple proposals
>
>2) in the DMTF model, for one data traffic pattern, multiple actions are
>tried
>until success:
>    a) let's try ISAKMP with 3DES+RSA or 3DES-pre-shared with SG1
>    b) if it fails, let's try ISAKMP with 3DES+RSA or 3DES-pre-shared with
>SG2
>    c) if it fails, let's try DES-pre-shared with SG3
>
>Obviously, the DMTF model allows the configuration of a complex IKE proposal
>(see IKEProposal class which is associated to SANegotiationAction).
>
>Hope this helps
>
>-eric

Eric Vyncke                        
Distinguished Engineer             Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke@xxxxxxxxx          Mobile: +32-475-312.458
PGP Key available on request       MOBILE HAS CHANGED ON 11th November 2000

Prev by Date: Re: draft-ietf-ipsp-config-policy-model comments
Next by Date: Re: IPSP Use of FilterEntry (Re: Preliminary results from PCIMe technical meeting, 1/24/01 - 1/26/01)
Previous by thread: RE: DMTF SAAction restriction
Next by thread: DMTF model - credential management ID
Index(es):
- Date
- Thread