[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec policy

To: <ipsec@tis.com>
Subject: IPSec policy
From: Vach Kompella <kompella@us.ibm.com>
Date: Mon, 2 Mar 1998 12:39:39 -0500
Sender: owner-ipsec@ex.tis.com

It looks like the policy descriptors have been designed from the initiator
perspective, rather than the responder perspective.  When the initiator wants
to figure out the policy, it goes to the policy database, and grabs the
appropriate proposals, etc.  When the responder gets this incoming request, it
should also go to its own policy database.  The proposal, from a responder
perspective, can be lined up along side the initiator proposal, and somehow you
figure out which is the most appropriate (I say that somehow you figure it out
because the results could change depending on whether you consider the
initiator proposal to take precendence over the responder or not: is this worth
standardizing?).

Anyway, it's highly unlikely that the proposal will match, down to exact expiry
values.  I think the responder proposal must have a range for attributes that
are "rangeable."  E.g., it may make sense to have a policy that says the RC5
encryption alg will be accepted with any key size between 512 and 1024, rather
than code up a separate proposal for each acceptable key length value.

The responder proposal is obviously useful only for responding.  The initiator
proposal does not have a place for ranges in the format of the proposal.

Vach Kompella
IBM Corp.
Network Security Product Development
kompella@us.ibm.com
Ph.: (919) 254-7281
Fax: (919) 254-4239

Prev by Date: I-D ACTION:draft-ietf-ipsec-arch-sec-03.txt
Next by Date: Another slicing and dicing issue.
Prev by thread: I-D ACTION:draft-ietf-ipsec-arch-sec-03.txt
Next by thread: IPsec SA establishment through ISAKMP
Index(es):
- Main
- Thread