[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAD and SPD
Jack Aubert wrote:
>
> I am trying to research the current state of play with respect to
> management of large VPNs using IPsec.
>
> Imagine a very large VPN with many worldwide SG tunnel entry points using
> IPsec -- say at least one per country...on the order of 200. Also assume
> that it is necessary to add, subtract, ore reconfigue any of these devices
> from one point. "One point" could literally mean one point, or (with
> appropriate access control) from any one of the 200 points.
>
> Reading the current architecture draft, my impression is that the SAD will
> carry information on SAs that a particular device (in this case a SG)
> participates in, and would probably be kept close to -- presumably on --
> the SG itself. The SPD, on the other hand, would aggregate and summarize
> policies, and could be kept/coordinated more centrally queried by the
> devices needing to set up an SA using LDAP.
<trimmed...>
> Is this a correct reading of the current drafts, and does it seem to make
> any sense?
Yes, the master SPD could be centrally managed, and queried using any
number of mechanisms (not just LDAP), or the entries could be
distributed rather then requested, using SNMP or other mechanisms.
However, it would be quite inefficient to *always* query it, since the
ARCH (rfc?) requires that the SPD be consulted on a per-packet basis.
Might be better to distribute all applicable policies to the querying
system at one time, and then have some algorithm for maintaining cache
coherence.
Obviously, it's conceivable that the number of applicable policies for a
given SGW could exceed its cache size, in which case we're back to your
original proposal. However, this could be viewed as a resource
allocation problem for the SGW rather than an architectural issue, and
in any event, the SGW will need to cache the SPD entries which produced
the active SAs in some form or another.
References: