[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: UNIQUENESS clause of ipSecIkeRuleTable



Hi Pierrick,

Thanks for pointing this out. Would the addition of
ipSecIkeRuleIkeEndpointGroupId into the UNIQUENESS be good enough? It
boils down to the question of "can there be more than one IKE
associations between two end points?" If the answer is yes, then
ipSecIkeRuleIkeAssiciationId needs to be added too.

I start to think that the ipSecRuleTable has the same issue. The
ipSecruleIpSecSelectorGroupId needs to be added to the UNIQUENESS. What
do you think?

Thanks for your comments
Man 

-----Original Message-----
From: ext MORAND Pierrick FTRD/DMI/CAE
[mailto:pierrick.morand@xxxxxxxxxxxxxxxxxxxx]
Sent: September 20, 2001 04:20 AM
To: IPSEC-POLICY (E-mail)
Subject: UNIQUENESS clause of ipSecIkeRuleTable



Hi !

In the ipSecIkeRuleTable the UNIQUENESS clause is currently the
following :
UNIQUENESS {
       ipSecIkeRuleIfName,
       ipSecIkeRuleRoles
       }
Doing so, this prevents the PDP to install, for an interface having a
given
Role/IfName tuple value, different Ike policies for different peers. 

Shouldn't this clause be set to :
UNIQUENESS {
       ipSecIkeRuleIfName,
       ipSecIkeRuleRoles
       ipSecIkeRuleIkeAssiciationId ReferenceId,
//for the editor : to be renamed in ipSecIkeRuleIkeAssociationId
       ipSecIkeRuleIkeEndpointGroupId TagReferenceId
       }
I have excluded the ipSecIkeRuleIpSecRuleTimePeriodGroupId in order to
avoid
that an IkeRule (same IkeAssociation and group of peers) is the object
of
two different sets of TimePeriod policies leading to create two
differents
IkeRule instances while the RuleTimePeriodSet could be updated.

Thanks for your comments.

Pierrick Morand
france telecom R&D/DMI/SIR/IPI
Tel   : +33 2 31 75 91 79 -  Fax : +33 2 31 73 56 26
Email :pierrick.morand@xxxxxxxxxxxxxxxxxxxx