[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Results of the IPSEC document reading party
... Daniel Harkins said ...
[snip]
>But it seems to me that for unambiguous policy we can have a standard,
>unambiguous, way to do those sorts-- to decide which is "better".
>If my unambiguous policy says: "all traffic from net A to net B is
>protected by FOO except traffic from host a to host b which is protected
>by BAR" then why can't we decide that receipt of a packet from host b
>for host a that is not protected by BAR MUST be dropped?
[snip]
>Perhaps this isn't the best way to define the sorting. I'm not claiming it
>is, only that it's something for the WG to consider and I really really
>really believe that the WG should consider a standard, unambiguous way to
>define sorting. Just saying, "take the first one" doesn't work.
If it is "take the first one, from an ordered set defined by the administrator"
it is much less ambiguous than any other set of sorting rules that you could
define... admitedly this is giving the administrator a gun that is easy to
point at the foot, but tools could warn when it looked like he was about to
shoot it...
We seem to have two separate issues here:
1) How does one portably specify rule sets for IPSec/IPSecond.
If we want to define portable rule sets (A good thing) We need to
have standards to specify what they _mean_. Personally I would
prefer the ordered set approach to this, as it will often generate
smaller rule sets. An implementation is free to convert this rule
set into whatever internal representation it wants...
2) The sorting/search algorithm used by an implementation to find the
appropriate rule. This has no need to be defined here... In fact the
note about searching the rules in order should probably be amended
so that it is more clearly stated that an implementation doesn't
need to _actually_ search in order...
-gordo
--
---------------------------------------------------------------
Gordon Oliver (gordo@telsur.cl) Independent Consultant
References: