[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: a question on SPP draft ...



Matthew,

> > The decorrelated representation can
> > result in a big exclusion list.
> > The implementations i have seen all use
> > only ordered policy lists.
> 
> The decorrelated representation of a set of policies
> can be a bit cumbersome, however, it can relatively easily
> be generated from a list of ordered policies.  Earlier drafts
> that included more details on decorrelation, also included
> one algorithm for decorrelating an ordered list of policies.
> I can send out the relevent text about decorrelation, if you'd
> find that useful.

Most IPsec/IKE implementations rely on an ordered list of
IPsec policies for policy matching.  Is there an efficient
method of converting the decorrelated representation into
an (efficient) ordered list, that only requires 'standard'
selectors (ie no exclusion lists or such)?

I think this is very important when considering deployment.

(I haven't read the draft in question, though, so if I am
asking something that is obvious, just let me know.)

-Sami