[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Classification engine and IPSEC
Hi,
There are some difficult protocols such as FTP, H.323, RTSP, SIP etc..
These protocols have control connection and several data connections.
Control connection uses standard service port. But data connections
use ephemeral ports, which are negotiated during the control
connection. For example, FTP data connection information goes
as part of 'PORT' command of control connection.
IPSEC SPD policies can be defined based on transport selectors
such as 'source' and 'dest' ports (ranges) along with IP addresses.
We see requirement that all packets belonging to a flow
(control and data connections ) should have same security properties.
That is, only one IPSEC policy defined for the service and all
child connections (data connections ) should also use the same
policy. But, this requires interoperability as the other party also
should treat this similar way. Today, we are solving this using
proprietary mechanism and works only with our solutions. When working
with other IPSEC solutions, data connections will follow the IPSEC
policy list to get the new security properties.
Do people see any requirement like this? If so, how do we solve
this problem such that it is interoperable?
Regards
Srini
--
Srinivasa Rao Addepalli
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
USA
Ph: 408-844-0480 x317