[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TED poll (Re: Draft Minutes from IPSP WG Mtg at 52st IETF)



Lee,

It would be extremely difficult to configure, maintain, secure, and  just to
make work in general an LDAP or series of LDAP directories with all the IP
addresses of all the IPsec Security Gateways that could be protecting some set
of hosts at any given time. First of all, one needs to answer a series of
political questions beyond the scope of our work here. For instance, which LDAP
directories, do we trust them, who do we trust, who maintain them...
authoritative?, etc... the list goes on and on. I would say that we should
consider an independent and dynamic protocol that can propagate IPsec SG
information (IP addresses, policies, etc.) in a secure fashion (authenticated,
integrity checked, encrypted when needed, etc.) among hosts that need such
information to establish an end2end IPsec SA.

Luis

Lee Rafalow wrote:

> Off the top of my head, I'd say that the schema and dit structure would be
> optimized for a fully-qualified hostname search and that gateway topology
> would be represented by DN references.  The available policies would also be
> DN references and can be protected by access controls.  IMHO, this would be
> significantly better than TED in that it is not topology limited and has
> access controls, but I've given almost no thought to scaling and maintenance
> issues (although they seem tractable on first blush).
>
> ----- Original Message -----
> From: "Michael Richardson" <mcr@xxxxxxxxxxxxxxxxxxxxxx>
> To: <ipsec-policy@xxxxxxxx>
> Sent: Monday, December 17, 2001 10:25 PM
> Subject: Re: TED poll (Re: Draft Minutes from IPSP WG Mtg at 52st IETF)
>
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> >
> > >>>>>  "Lee" == Lee Rafalow <rafalow@xxxxxxxxxxxxxx> writes:
> >      Lee> I was, I think, the only "few objections" to pursuing gateway
> >      Lee> discovery.
> >      Lee> The reason I objected is that if we're going to have a protocol
> >      Lee> that publishes policy to anyone who asks and that only works for
> a
> >      Lee> subset of the
> >
> >    Keeping policy information confidential is a goal (not always
> achieveable),
> > although I see that it has slipped out of the requirements document. I'll
> add
> > it back.
> >
> >      Lee> network, we can do much, much better with an existing protocol:
> LDAP.
> >      Lee> Define a schema (based on the ICPM + topology).  The
> installation
> >      Lee> can then
> >
> >    And what key would you use to look up the policy in this "global
> > LDAP database"?
> >
> >    if you wish, you may think of tunnel endpoint discovery as potentially
> > discoverying an address of an LDAP server along with index into its
> database.
> >
> > ]       ON HUMILITY: to err is human. To moo, bovine.           |
> firewalls  [
> > ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net
> architect[
> > ] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device
> driver[
> > ] panic("Just another NetBSD/notebook using, kernel hacking, security
> guy");  [
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.3ia
> > Charset: latin1
> > Comment: Finger me for keys
> >
> > iQCVAwUBPB63JIqHRg3pndX9AQFsHAP/TBNgvYunZXdjilK8Xm8Z9EaJVVr2iHxm
> > hAB/fXDf9xW+mj8SDYjsRs4hVw7/dDqY4V/5yzJqKuSnLhvK15Z3fjKpcze+BMY2
> > IZam4L83O+IhX8YakBtZ3whp8kz68JiLLUzQbnoRVjJzFFsIprCuwBg5UcvPd724
> > nT23n/yLhuQ=
> > =3hps
> > -----END PGP SIGNATURE-----
> >