[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bundle or not in negotiation

To: "Hilarie K. Orman" <ho@earth.hpc.org>
Subject: Re: Bundle or not in negotiation
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Tue, 24 Nov 1998 19:41:02 -0500
Cc: ipsec@tis.com, mab@research.att.com
In-reply-to: Your message of "Tue, 24 Nov 1998 12:13:20 PST." <199811242013.MAA01385@earth.hpc.org>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----

To: "Hilarie K. Orman" <ho@earth.hpc.org>
Subject: Re: Bundle or not in negotiation 
Cc: ipsec@tis.com, mab@research.att.com
Date: 11/24/98, 19:41:01

In message <199811242013.MAA01385@earth.hpc.org>, "Hilarie K. Orman" writes:
>The discussion below points out the need to separate mechanisms from
>policy about the use of those mechanisms.  However, while some may
>find it sufficient to have IKE create mechanism sets and to have IPSEC
>enforce policy over use of those sets, I believe that many people want
>a way to have a rational negotiation of mutually acceptable policy,
>prior to use.  This was the reason for suggesting "trust management" as
>a separate protocol --- one that could be mapped to the uses of
>several IETF security suites. 
>
>Trust management would fill the gap between "IKE proposes, IPSEC
>disposes" without requiring changes to either of them.  Is there
>enough interest in this to motivate discussion of requirements?

I would also add that in those cases where IPsec is used in
conjunction with firewalls (or similar), access policy is necessary.
This is not a simple issue, and there are a number of variations of
IPsec usage (which is probably why people seem to be talking past each
other sometimes -- thinking about slightly different scenarios).

As Hilarie pointed out, the Trust Management group (it's not yet a WG)
was formed to address these kinds of issues. I think Matt Blaze is
going to talk for 10 minutes at the next meeting about some of these
issues (Matt, am I right ?)

We are also working on a preliminary document on the subject -- at
this point an issues/requirements docs -- but we probably won't have
it ready in time for this IETF.
- -Angelos

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQEVAwUBNltSHXcrsxJuc7vBAQGUfAgAj/oeb+LOLUdCs6T5jaz05Sw9QwI2Agff
sjewYpIjyFb2+qHF+25O8I0EIC+ATAqVJYPHtcEAT+jPX3UBPfPlfOJL4oxHqFXw
gRP+ad7Kjn/vbsMzLYQueLu3ZUNzraOeUXG2F+NfKz63eUkpgzxt93OEBFVpcdir
JjYjG9O9crF+9YCBSG2KDWmDENQpFwmjlnJq9DC+Vg8klk0A7DnwF1NllajVwKSp
yKELsJKoN1qyZu8Clz9AEv+GkT3RL52sNR+SKBWc2yCyLOO3tsF/lsjk3443PV/7
Xy6Vwx8Uw25JD2AT16zO7sxNVlWoYpHWQOd5Y6vXf2gXwODG64YTbA==
=cpg1
-----END PGP SIGNATURE-----

References:

Re: Bundle or not in negotiation

From: "Hilarie K. Orman" <ho@earth.hpc.org>

Prev by Date: No Subject
Next by Date: Re: Bundle or not in negotiation
Next by thread: marketing misuse of IPSECond efforts
Index(es):
- Main
- Thread