[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SA Rules
I think that the aggregations you point out are vestiges of the original
model. There is no reason why these two cannot be combined into one
> -----Original Message-----
> From: Casey Carr [mailto:kcarr@xxxxxxxxx]
> Sent: Friday, February 01, 2002 11:32 AM
> To: IPSec Policy WG
> Subject: SA Rules
> After implementing the IPSec policy model I have some a small
> gripe. First I would like to thank those who put the time
> and effort into this model. It has proved very useful for
> our IPSec gateway policy manager implementation.
> The issue I have is with RuleForIPSecNegotiation and
> RuleForIKENegotiation. Can someone explain to why there is
> not a direct association between an SARule and
> IPSecPolicyGroup? This association would probably have the
> name SARuleInPolicyGroup.
> Wouldn't it be cleaner to be able to prioritize a single
> collection of rules instead of having to prioritize on set of
> IKERule objects and one set of IPSecRule objects? Since
> these associations each have their own priorities, I have to
> deal with the possibility that an IKERule and an IPSecRule in
> the same policy group can have the same priority.
> This complexity seems to been eliminated from the rest of the
> model. For instance there is not an association
> IKEActionInIKERule or IPSecProposalInIPSecAction.
> If there is not a definitive reason for this (IMHO)
> inconsistency, I would argue that the model should be changed
> to replace the RuleForIPSecNegotiation and
> RuleForIKENegotiation with a single association SARuleInPolicyGroup.
> BTW, despite my concerns our implementation remains true to
> the current model as defined in