[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
From: Stephen Kent <kent@bbn.com>
Date: Fri, 21 Nov 1997 11:09:53 -0500
Cc: ipsec@tis.com
In-Reply-To: <199711200821.DAA07450@morden.sandelman.ottawa.on.ca>
References: Your message of "Thu, 20 Nov 1997 01:22:13 EST." <Chameleon.879989069.rja@c8-a.snvl1.sfba.home.com>
Sender: owner-ipsec@ex.tis.com

Mike,

	Having watched the reverse chronological Seinfield episode last
night, I'll respond to your final observation first; the ordering
requirement for SPD entries is not new.  It was  present in the 7/30
version of the security architecture document as well as the current
version.   If an administrator cannot determine the order for SPD entries,
then it will not be possible to express some policies, because of overlaps
in selectors and an inability to impose a canonical ordering on the
selectors.  Hence the motivation for that requirement.

	As for the question of the level of administrative control required
by the arch doc, you are right that it requires the ability to specify
packet processing, incluidng discard, at the granularity of ports, etc.
For example, a  user of a security gateway might want to allow SMTP traffic
through (w/o IPsec processing) if addressed to a mail server behind the
gateway, but require IPsec for other traffic to that or other hosts behind
the gateway.  That level of control will be available only if port-level
SAs are supported.  The question is whether the WG wants compliant
implementations to offer only a subset of possible, reasonable policies.
Unfortunately, this is an interoperability issue, not just a local matter,
in that both ends of an SA need to be able to offer the same granularity of
selection.  Hence the inclusion in this document.

	Ultimately, the WG must decide what set of policies are of
sufficiently  general interest to warrent mandatory inclusion.  We did
receive some private feedback on the 7/30 version of the document and made
changes to reflect those comments. Other than your recent comments, we have
received almost no feedback on this version, and the SPD requirements have
not changed substantively sibce then.  (The main change to that portion of
the document was to remove the notion of the SAM, an eficiency hack that
was not essential to explaining the administrative interface and one that
also had some technical problems!)

Steve

References:

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

From: Ran Atkinson <rja@inet.org>

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: I-D ACTION:draft-ietf-ippcp-protocol-02.txt
Next by Date: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
Prev by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
Next by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
Index(es):
- Main
- Thread