hello,
this email deals with practical usage of the IPSec configuration MIBs
this working group designed. It is for re-use in the PANA framework (see
http://www.ietf.org/internet-drafts/draft-ietf-pana-snmp-00.txt).
below is a picture of the PANA functional model:
RADIUS/
Diameter/
+-----+ PANA +-----+ LDAP/ API +-----+
| PaC |<----------------->| PAA |<---------------->| AS |
+-----+ +-----+ +-----+
^ ^
| |
| +-----+ |
IKE/ +-------->| EP |<--------+ SNMP
4-way handshake +-----+
Figure 1: PANA Functional Model
in brief: once the PaC authorized by the PAA and the AS (via EAP), the
PAA is in charge of configuring the access point (EP) with authz
information.
in the IPsec-based access control case, we might want to configure IKE
at the EP: the PAA provides to the EP the following information:
- PaC IP address (PaC-TIA)
- "PANA-Session-Id|PANA-Key-Id" as the id_key_id for aggressive mode
- "PSK-from-PAA" as the Pre-shared Key for phase 1 exchanges
you'll find below a temptative example of configuration using your MIBs.
if possible, can you please check and correct any mistakes.
thanks,
yacine
------------------------------------------------------
so far we define two policy groups ("EP-SPD-IN" and "EP-SPD-OUT"):
spdEndpointToGroupTable.1 =
spdEndGroupDirection = incoming;
spdEndGroupIdentType = IPv4;
spdEndGroupAddress = EP-ADDR;
spdEndGroupName = "EP-SPD-IN";
spdEndpointToGroupTable.2 =
spdEndGroupDirection = outgoing;
spdEndGroupIdentType = IPv4;
spdEndGroupAddress = EP-ADDR;
spdEndGroupName = "EP-SPD-OUT";
We define two filters in the "IP Header filter" table: one match IP
packets coming from the PaC, the other match IP packets going to the
PaC.
spdIpHeaderFilterTable.1 =
spdIpHeadFiltName = "PaC1-TIA Filter SOURCE";
spdIpHeadFiltType = { sourceAddress ON };
spdIpHeadFiltIPVersion = v4;
spdIpHeadFiltSrcAddressBegin = PaC1-TIA;
spdIpHeadFiltSrcAddressEnd = PaC1-TIA;
spdIpHeaderFilterTable.2 =
spdIpHeadFiltName = "PaC1-TIA Filter DEST";
spdIpHeadFiltType = { destAddress ON };
spdIpHeadFiltIPVersion = v4;
spdIpHeadFiltSrcAddressBegin = PaC1-TIA;
spdIpHeadFiltSrcAddressEnd = PaC1-TIA;
-- IKE Phase 1 configuration (agressive mode):
We define a sub-group in policy group "EP-SPD-IN" of the SPD MIB,
using the "Group contents" table. This sub-group is dedicated to the
IKE traffic coming to the EP:
spdGroupContentsTable.1 =
spdGroupContName = "EP-SPD-IN";
spdGroupContPriority = 1;
spdGroupContFilter = ipiaStaticFilters.1;
spdGroupContComponentType = sub-group;
spdGroupContComponentName = "EP-IKE-Phase1-IN";
And within this IKE-specific policy sub-group we now specify the rule
to apply for the IKE traffic coming from PaC1.
spdGroupContentsTable.2 =
spdGroupContName = "IKE-Phase1-IN";
spdGroupContPriority = 1;
spdGroupContFilter = spdIpHeaderFilterTable.1;
spdGroupContComponentType = rule;
spdGroupContComponentName = "PaC1-IKE-RULE";
An entry in the "IP Header filter" table helps defining the filter to
match packets coming from PaC1.
spdIpHeaderFilterTable.1 =
spdIpHeadFiltName = "PaC1-TIA Filter SOURCE";
spdIpHeadFiltType = { sourceAddress ON };
spdIpHeadFiltIPVersion = v4;
spdIpHeadFiltSrcAddressBegin = PaC1-TIA;
spdIpHeadFiltSrcAddressEnd = PaC1-TIA;
The "Rule Defininition" table links a rule with a given action in the
IKE action MIB. This action will be triggereed upon recepetion at
the EP of an IKE packet coming from PaC1.
spdRuleDefinitionTable.1 =
spdRuleDefName = "PaC1-IKE-RULE";
spdRuleDefDescription = "IPSec Access Control for PaC1";
spdRuleDefFilter = spdIpHeaderFilterTable.1;
spdRuleDefFilterNegated = false (default);
spdRuleDefAction = spdIkeActionTable.1;
The "IKE action" entry below specifies the main parameters for the
IKE exchanges.
ipiaIkeActionTable.1 =
ipiaIkeActName = "PaC1-IKE";
ipiaIkeActParametersName = "SA-PaC1";
ipiaIkeActThresholdDerivedKeys = 100 (default);
ipiaIkeActExchangeMode = aggressive;
ipiaIkeActAgressiveModeGroupId = xxx [Diffie-Hellman values];
ipiaIkeActIdentityType = idKeyId;
ipiaIkeActIdentityContext = "PANA";
ipiaIkeActPeerName = "PaC1";
ipiaSaNegotiationParametersTable.1 =
ipiaSaNegParamName = "SA-PaC1";
ipiaSaNegParamMinLifetimeSecs = xxx;
ipiaSaNegParamMinLifetimeKB = xxx;
ipiaSaNegParamRefreshThreshSecs = xxx;
ipiaSaNegParamRefreshThresholdKB = xxx;
ipiaSaNegParamIdleDurationSecs = xxx;
The "Peer Identity" table specifically informs the EP on the value of
the idKeyId to use in IKE messages with PaC1:
ipiaPeerIdentityFilterTable.1 =
ipiaPeerIdFiltName = "PaC1";
ipiaPeerIdFiltIdentityType = idKeyId;
ipiaPeerIdFiltIdentityValue = "PANA-Session-Id|PANA-Key-Id";
The following entry links a given identity (PaC1) with an entry in
the "Credentials" table.
ipiaIkeIdentityTable.1 =
spdEndGroupIdentType = IPv4;
spdEndGroupAddress = EP-ADDR;
ipiaIkeActIdentityType = idKeyId [?????];
ipiaIkeActIdentityContext = PANA;
ipiaIkeIdCredentialName = "PaC1-PSK";
Finally the pre-shared key derivated at the PAA is set here:
ipiaCredentialFilterTable.1 =
ipiaCredFiltName = "PaC1-PSK";
ipiaCredFiltCredentialType = sharedSecret;
ipiaCredFiltMatchFieldName = (sharedSecret);
ipiaCredFiltMatchFieldValue = "PSK-from-PAA";