[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SA Rules



Casey,

I think that the aggregations you point out are vestiges of the original
model.  There is no reason why these two cannot be combined into one
aggregation.

Good catch.

Jamie

> -----Original Message-----
> From: Casey Carr [mailto:kcarr@xxxxxxxxx] 
> Sent: Friday, February 01, 2002 11:32 AM
> To: IPSec Policy WG
> Subject: SA Rules
> 
> 
> 
> After implementing the IPSec policy model I have some a small 
> gripe.  First I would like to thank those who put the time 
> and effort into this model.  It has proved very useful for 
> our IPSec gateway policy manager implementation.
> 
> The issue I have is with RuleForIPSecNegotiation and 
> RuleForIKENegotiation. Can someone explain to why there is 
> not a direct association between an SARule and 
> IPSecPolicyGroup?  This association would probably have the 
> name SARuleInPolicyGroup.
> 
> Wouldn't it be cleaner to be able to prioritize a single 
> collection of rules instead of having to prioritize on set of 
> IKERule objects and one set of IPSecRule objects?  Since 
> these associations each have their own priorities, I have to 
> deal with the possibility that an IKERule and an IPSecRule in 
> the same policy group can have the same priority.
> 
> This complexity seems to been eliminated from the rest of the 
> model.  For instance there is not an association 
> IKEActionInIKERule or IPSecProposalInIPSecAction.
> 
> If there is not a definitive reason for this (IMHO) 
> inconsistency, I would argue that the model should be changed 
> to replace the RuleForIPSecNegotiation and 
> RuleForIKENegotiation with a single association SARuleInPolicyGroup.
> 
> BTW, despite my concerns our implementation remains true to 
> the current model as defined in 
> draft-ietf-ipsp-config-policy-model-04.txt.
> 
> Casey
>