[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-policy-schema-00.txt

To: ".MailList, ipsec" <ipsec@lists.tislabs.com>, jamie.jason@intel.com, michael.jeronimo@intel.com
Subject: Re: draft-ietf-ipsec-policy-schema-00.txt
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Fri, 14 May 1999 18:10:20 +0000
Organization: RedCreek Communications Inc.
Sender: owner-ipsec@lists.tislabs.com

Howdy ()

	Kudos on your draft, we like it very much. I have two specific
architectural level complements, one architectural level question, and
two detail level questions.

Complements:
	The concept of a rule equals an OR'd list of conditions matched with an
AND'd list of actions is good. I hope the LDAP schema authors take up
this track also (any word on the new LDAP schema draft guy's). 
	The Policy is a set of rules, only one of which is in effect at
this time is also well matched to some customer requirements we are
hearing.

Architectural Question:
	Where should "action" fit into the class hierarchy? My expectation is
that the general IETF Policy WG (different from the IPSec Policy WG)
will be forming a generalized condition <-> action schema. Under that,
IPSec would fit in as a particular instantiation of an action. Have you
thought about merging your polices, rules, and conditions work into the
policy working group and then forming a draft to detail out an
instantiation of a particular (IPSec) policy action.


Detail Level Questions:
	What an IPSec proposal contains seems to have left out compression...
oversight?

	A couple of things about the IPSecPermitAction and IPSecDenyAction.
First this list is too short. The Permit/Deny language is something we
inherit from firewalls which choose between those actions. But IPSec can
choose between three action: Bypass, Block, and Secure. Where Bypass
means pass in clear, Secure means apply a security transform, and block
means drop. In your draft you seem to imply that the absence of a Permit
or Deny means Secure. I think it would be better to be explicit (use
three terms) and I also think that the word "permit" allows for
ambiguity (does it mean bypass or does it mean secure). Also, It seems
to me that all three of these choices need to be available to tunnels as
well as transports.

-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

begin:vcard 
n:Charlet;Ricky
tel;fax:(510) 745-3999
tel;work:(510) 795-6903
x-mozilla-html:FALSE
org:RedCreek Communications;Engineering
adr:;;3900 Newpark Mall Dr.;Newark;CA;94560;USA
version:2.1
email;internet:rcharlet@redcreek.com
title:Software Engineer
x-mozilla-cpt:;-30400
fn:Ricky Charlet
end:vcard

Prev by Date: (Fwd) Re: Question on IV for ESP payload
Next by Date: RE: draft-ietf-ipsec-policy-schema-00.txt
Prev by thread: (Fwd) Re: Question on IV for ESP payload
Next by thread: RE: draft-ietf-ipsec-policy-schema-00.txt
Index(es):
- Main
- Thread