[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On transport-level policy enforcement (was Re: RFC 2401...)

To: Dan McDonald <Dan.McDonald@Eng.Sun.COM>
Subject: Re: On transport-level policy enforcement (was Re: RFC 2401...)
From: Stephen Kent <kent@bbn.com>
Date: Mon, 27 Nov 2000 16:18:24 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200011262330.eAQNUmK05325@kebe.Eng.Sun.COM>
References: <200011262330.eAQNUmK05325@kebe.Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

Dan,

I was away for a week, and terribly far behind, so this reply is way 
of out order, but ...

Your analysis of how to do the checking is fine for a native host 
implementation where per-connection state is already available. In a 
security gateway, the problem is a bit different. We wrote the 
generic checking description we didn't know how to cache SPD rules in 
such circumstances. We now have ways of doing that which do not 
violate the SPD ordering assumption. The next rev of 2401 will update 
the inbound processing discussion accordingly.  We can also divide 
the discussion into SG vs. native host environments, to simplify 
matters.

Steve

References:

On transport-level policy enforcement (was Re: RFC 2401...)

From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>

Prev by Date: Re: RFC 2401 section 5.2.1
Next by Date: Synchronisation in IKE
Prev by thread: Re: On transport-level policy enforcement (was Re: RFC 2401...)
Next by thread: IPv6 Jumbo Payload and IPsec
Index(es):
- Main
- Thread