[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Association Map (SAM)

To: ipsec@tis.com
Subject: Security Association Map (SAM)
From: "Luis A. Sanchez" <lsanchez@bbn.com>
Date: Thu, 3 Dec 1998 21:02:35 -0500 (EST)
Sender: owner-ipsec@ex.tis.com

Folks,

	While exploring approaches for caching security policies in
the Security Policy System (SPS) we devised an algorithm that allows
one to transform a set of overlapping security policies into a set of
non-overlapping policies. RFC2401 discusses overlapping policies in
more detail in section 4.4.1. This finding enabled caching in
SPS. However, we soon realized that one could use this algorithm with
any policy database.
	As we all know, the Security Policy Database (SPD) MAY contain
policies with overlapping selectors therefore, in order to ensure
consistent and predictable traffic processing the SPD entries MUST be
ordered and SPDs MUST be searched always in the same order. This new
algorithm guarantees that all policies found in an SPD will include at
least one selector with non-overlapping values. One still needs to
start with an ordered set of SPD entries especially if there are
overlaps, as one would typically specify such rules.
	This algorithm allows us to reintroduce the notion of the
Security Association Map (SAM) as the place to do a quick lookup for
outbound traffic to see if any existent SAs or SA bundles are
applicable, vs. needing to go back to the SPD to search it for a
match. Bump-in-the-stack and Bump-in-the-wire implementations could
now benefit from employing traffic oriented, performance dependent or
other searching techniques in the SAM. This could be particularly
beneficial for security gateways where processing loads are typically
high. Since policies in the SPD are unique and non-overlapping, SAM
entries, which include selectors and pointers to existing SAs or SA
Bundles in the SAD, will also be non-overlapping allowing traffic
processing to be deterministic and consistent.
	The details of the algorithm and some examples are provided in
section 10 and appendix B of draft-ietf-ipsec-sps-00.txt, respectively.

Thanks,

Luis

ps: We missed the draft submission deadline by minutes. You can obtain
the draft from www.net-tech.bbn.com/pbsm/SPS-design

Prev by Date: Re: Agenda stuff
Next by Date: Re: Agenda stuff
Prev by thread: Re: Minor Security issues regarding Kb rekeying
Next by thread: (NAT) Host NAT issues and Security Policy Servers
Index(es):
- Main
- Thread