Re: Auto filter rule generation for Phase 2 tunnels

[Stephen Kent <kent@bbn.com>]

Mike,

	The arch doc tries to explain a (proposed) required interface
functionality with the model.  In that sense we were not trying to dictate
any implementation approach, only to describe the required features.  The
document emphasizes that the model provided is only illustrative, not
normative.

	The very recent discussion on this list about filters and tunnels
at security gateways seems to support the notion that we need to have a
model for how this will work, and the issues raised in these messages are
addressed in the architecture document.

	It is precisely because there is no canonical ordering that we were
motivated to propose a requirement for an administratively-defined (local)
ordering on the SPD.  This is exactly what one does in typical packet
filtering firewalls and routers, and so the notion is not new to the IPsec
environment.  There seems to be some support for the notion of checking
packets to ensure that they match SA parameters, e.g., to prevent spoofing,
and that would seem to require consistent (ordered?) application of filters
that is known by both ends of each SA.

Steve

P.S.  Thanks for the positive feedback on the document in general.

---

References:

• Re: Auto filter rule generation for Phase 2 tunnels
• From: Stephen Kent <kent@bbn.com>
• Re: Auto filter rule generation for Phase 2 tunnels
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

---

• Prev by Date: Re: Auto filter rule generation for Phase 2 tunnels
• Next by Date: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
• Prev by thread: Re: Auto filter rule generation for Phase 2 tunnels
• Next by thread: Re: Auto filter rule generation for Phase 2 tunnels
• Index(es):
  • Main
  • Thread