[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SA Rules

To: "'Casey Carr'" <kcarr@xxxxxxxxx>, IPSec Policy WG <ipsec-policy@xxxxxxxx>
Subject: RE: SA Rules
From: "Jason, Jamie" <jamie.jason@xxxxxxxxx>
Date: Tue, 5 Feb 2002 13:21:14 -0800
List-archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-id: <ipsec-policy.vpnc.org>
List-unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Sender: owner-ipsec-policy@xxxxxxxxxxxxx

Casey,

I think that the aggregations you point out are vestiges of the original
model.  There is no reason why these two cannot be combined into one
aggregation.

Good catch.

Jamie

> -----Original Message-----
> From: Casey Carr [mailto:kcarr@xxxxxxxxx] 
> Sent: Friday, February 01, 2002 11:32 AM
> To: IPSec Policy WG
> Subject: SA Rules
> 
> 
> 
> After implementing the IPSec policy model I have some a small 
> gripe.  First I would like to thank those who put the time 
> and effort into this model.  It has proved very useful for 
> our IPSec gateway policy manager implementation.
> 
> The issue I have is with RuleForIPSecNegotiation and 
> RuleForIKENegotiation. Can someone explain to why there is 
> not a direct association between an SARule and 
> IPSecPolicyGroup?  This association would probably have the 
> name SARuleInPolicyGroup.
> 
> Wouldn't it be cleaner to be able to prioritize a single 
> collection of rules instead of having to prioritize on set of 
> IKERule objects and one set of IPSecRule objects?  Since 
> these associations each have their own priorities, I have to 
> deal with the possibility that an IKERule and an IPSecRule in 
> the same policy group can have the same priority.
> 
> This complexity seems to been eliminated from the rest of the 
> model.  For instance there is not an association 
> IKEActionInIKERule or IPSecProposalInIPSecAction.
> 
> If there is not a definitive reason for this (IMHO) 
> inconsistency, I would argue that the model should be changed 
> to replace the RuleForIPSecNegotiation and 
> RuleForIKENegotiation with a single association SARuleInPolicyGroup.
> 
> BTW, despite my concerns our implementation remains true to 
> the current model as defined in 
> draft-ietf-ipsp-config-policy-model-04.txt.
> 
> Casey
>

Follow-Ups:
- RE: SA Rules
  - From: Casey Carr

Prev by Date: SA Rules
Next by Date: RE: SA Rules
Previous by thread: SA Rules
Next by thread: RE: SA Rules
Index(es):
- Date
- Thread