[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

vpn-policy-schema questions

To: "'partha@watson.ibm.com'" <partha@watson.ibm.com>, "'radams@cisco.com'" <radams@cisco.com>, "'rpereira@timestep.com'" <rpereira@TimeStep.com>, "'wdison@microsoft.com'" <wdison@microsoft.com>, "'raju@watson.ibm.com'" <raju@watson.ibm.com>, "'ipsec@lists.tislabs.com'" <ipsec@portal.gw.tislabs.com>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: vpn-policy-schema questions
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Fri, 5 Mar 1999 18:04:08 -0800
Sender: owner-ipsec@ex.tis.com

Howdy ()

<Sorry about the cross post to both 
   ipsec@lists.tislabs.com    and
   ipsec@tis.com   
  I'm not sure what to trus yet, guess I'll know after this post forwards
through>


	I have a few questions about the Draft "An LDAP Schema for
Configuration and Administration of IPSec based Virtual Private Networks
(VPNs)" draft-ipsec-vpn-policy-schema-oo.txt

	Even if you have only a subset of answers, I'd be interested.


1.	Has anyone built a MIB translation of LDAP formatted
draft-ietf-ipsec-vpn-policy-schema-00.txt?


2. The IPSecProposal object includes one AHTransformRef, one
ESPTransformRef, and one IPCOMPTransformRef. Is the intention here to limit
SA bundles to the possible combination of one each from the above three
possibilities? 

3. Could there be a way for the PolicyAction object to be able to reference
vendor specific actions not defined in this draft? What would be the minimum
requisites.

4. In the IPSecSecurityAction, aren't the *proxied* objects redundant with
the IPPolicyCondition which brought this action into play? 

5. What do you think of changing the *autoStartFlag objects to
*autoStartCondition objects which would have references like:
	always
	never
	duringTimeRange X..Y
	if interface X is down
	if interface X is heavily loaded

6. Inside of one IPSecProposal are we limited to one DH group for all
transforms (ESP, AH)?

7. What are the reasons for making ISAKMPAction a PolicyAction? Arn't the
'PolicyCondition's for selection ISAKMPAction trivial and possibly even
unalterable by local policy <if port 500>? I see that ISAKMPAction is
reference from IPSecSecurityAction, this seems appropriate and sufficient to
me.

8. Does anyone <esp. authors> have some opinions about how external
authentication/authorization engines might be married into this draft?

9. Suppose two packets pass  through a security gateway, receiving IPSec
treatment. On the first packet, how does this schema allow multiple ISAKMP
and IPSec proposals to be offered in the two negotiation phases? On the
second packet, how does this schema identify those particular proposals
(ISAKMP and IPSec, one each) that won the negotiation when the first packet
passed?




###################################
#  Ricky Charlet
#   rcharlet@RedCreek.com
#  (510) 795-6903
###################################
end Howdy;

Ricky

Prev by Date: Re: where is the ikecfg draft?
Next by Date: RE: (mobile-ip) RE: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Propos ed Standard
Prev by thread: I-D ACTION:draft-ietf-ipsec-policy-framework-00.txt
Next by thread: Addendum: Address of list changing
Index(es):
- Main
- Thread