[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-flow-monitoring-mib-00.txt
Ricky Charlet wrote:
>
> Howdy ()
>
> I would like to develop feed back on your draft. I believe it is an
> important problem. But just so I don't get lost chasing rabbits, first I
> would ask the authors to provide their definitions for:
>
> * IPsec traffic flows
> * IPsec tunnels
> * IKE tunnel
>
> --
> ####################################
> # Ricky Charlet
> # (510) 795-6903
> # rcharlet@redcreek.com
> ####################################
>
> end Howdy;
Howdy ()
I have not heard from anyone yet. I am still seeking clarification on
these flow-mib deffinitions. Let my offer my guess as to that the
definitions *might* be:
* IPsec traffic flows
guess1: the set of packets which match as to outer IP
header.
guess2: the set of packets which match against a
selector.
* IPsec tunnels
The set of inbound and outbound SAs instantiated by a
particular selector over all time iregardless of how
often the SAs were re-keyed or how often the SAs were
deleted and re-initiated.
* IKE tunnel
The set of SAs matching as to peer, authMethod, and
authData over all time iregardless of how often the
SAs were re-keyed or how often the SAs were deleted
and re-initiated.
Some things I wonder are:
1. What if traffic from different selectors travels over the same IPsec
SA. Is that the same IPsec tunnel?
2. What if my inbound and outbound selectors are a-symetric. Does that
interfere with defining a VPN tunnel?
3. Do you intend to tread 'dial-up' metaphore tunnles any differently
than 'nailed-up' metaphore tunnels?
Authors please comment.
--
####################################
# Ricky Charlet
# (510) 795-6903
# rcharlet@redcreek.com
####################################
end Howdy;