[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DOI terminology question

To: "Scott G. Kelly" <scott@fet.com>
Subject: Re: DOI terminology question
From: Ran Atkinson <rja@inet.org>
Date: Sat, 9 Aug 97 02:51:43 GMT Daylight Time
Cc: ipsec@tis.com
References: <33EB3CC1.D1F@fet.com>
Sender: owner-ipsec@ex.tis.com

--- On Fri, 08 Aug 1997 08:35:29 -0700  "Scott G. Kelly" <scott@fet.com> wrote:

> Not trying to be quarrelsome, just trying to understand: DOI *does*
> apply to manually configured SA's, right? I mean, it's reasonable to say
> that someone might someday manually configure concurrent SA's which
> apply to different DOI's, right?

Your terminology is perhaps confusing, so I would recommend seeking
a more clear terminology.  As Ted suggests, defining terms is perhaps
useful.  (Towards that end:  SA == Security Association :-)

In the more common definition, the "IPsec DOI" _only_ applies to ISAKMP.

The definition of a minimal conforming "IPsec SA" is formally made in RFC-1825.
Please do not mistake the "IPsec DOI" as being the formal definition of
an IPsec SA.

The "IPsec DOI" document happens to have a set of attributes that 
map to the minimal items of an SA (which is formally defined by RFC-1825) 
and also a set of additional items not required by RFC-1825.  

An IPsec SA created via some other method (e.g. Photuris or 
manual configuration) MUST conform with the minimal requirements specified 
in RFC-1825, but need not have any attribute beyond those required by RFC-1825.

If one has a RIPv2 SA and an OSPFv2 SA, one normally refers to these
as different kinds of SAs.  One does not normally use the term "DOI"
to distinguish between or among them.

> Agreed. I should never have said it was an 'IPsec term'. What I should
> have said it this: even though DOI is rightly occurs in the ISAKMP
> context, it refers to SA's, i.e. 'domain of interpretation' w.r.t. the
> SA begin defined. Hence, DOI is not irrelevant to manual SA
> configuration.

The "DOI" is _only_ applicable to ISAKMP (or some other multi-application
KMP) and does _not_ apply to manually created SAs.

Aside: I personally find the term "SPD" as used in the new drafts
 	to be somewhat confusing.  However, I think that the logical
	"SPD" might correspond to the ipsec_policy.c module of the NRL
	codebase.  I'm not too sure.

Ran
rja@inet.org

References:

Re: Calling the question: derived vs. explicit IV

From: "Scott G. Kelly" <scott@fet.com>

Prev by Date: Question on authentication coverage in ESP...
Next by Date: Re: IPv6 Destination options extension header position.
Prev by thread: Re: Calling the question: derived vs. explicit IV
Next by thread: Re: Calling the question: derived vs. explicit IV
Index(es):
- Main
- Thread