[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DOI terminology question
--- On Fri, 08 Aug 1997 08:35:29 -0700 "Scott G. Kelly" <scott@fet.com> wrote:
> Not trying to be quarrelsome, just trying to understand: DOI *does*
> apply to manually configured SA's, right? I mean, it's reasonable to say
> that someone might someday manually configure concurrent SA's which
> apply to different DOI's, right?
Your terminology is perhaps confusing, so I would recommend seeking
a more clear terminology. As Ted suggests, defining terms is perhaps
useful. (Towards that end: SA == Security Association :-)
In the more common definition, the "IPsec DOI" _only_ applies to ISAKMP.
The definition of a minimal conforming "IPsec SA" is formally made in RFC-1825.
Please do not mistake the "IPsec DOI" as being the formal definition of
an IPsec SA.
The "IPsec DOI" document happens to have a set of attributes that
map to the minimal items of an SA (which is formally defined by RFC-1825)
and also a set of additional items not required by RFC-1825.
An IPsec SA created via some other method (e.g. Photuris or
manual configuration) MUST conform with the minimal requirements specified
in RFC-1825, but need not have any attribute beyond those required by RFC-1825.
If one has a RIPv2 SA and an OSPFv2 SA, one normally refers to these
as different kinds of SAs. One does not normally use the term "DOI"
to distinguish between or among them.
> Agreed. I should never have said it was an 'IPsec term'. What I should
> have said it this: even though DOI is rightly occurs in the ISAKMP
> context, it refers to SA's, i.e. 'domain of interpretation' w.r.t. the
> SA begin defined. Hence, DOI is not irrelevant to manual SA
> configuration.
The "DOI" is _only_ applicable to ISAKMP (or some other multi-application
KMP) and does _not_ apply to manually created SAs.
Aside: I personally find the term "SPD" as used in the new drafts
to be somewhat confusing. However, I think that the logical
"SPD" might correspond to the ipsec_policy.c module of the NRL
codebase. I'm not too sure.
Ran
rja@inet.org
References: