[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Classification engine and IPSEC



HI, Sreeni


>Hi,
>    There are some difficult protocols such as FTP, H.323, RTSP, SIP etc..
>    These protocols have control connection and several data connections.
>    Control connection uses standard service port. But data connections
>    use ephemeral ports, which are negotiated during the control
>    connection. For example, FTP data connection information goes
>    as part of 'PORT' command of control connection.
>
>    IPSEC SPD policies can be defined based on transport selectors
>    such as 'source' and 'dest' ports (ranges) along with IP addresses.
>
>    We see requirement that all packets belonging to a flow
>    (control and data connections ) should have same security properties.
>    That is, only one IPSEC policy defined for the service and all
>    child connections (data connections ) should also use the same
>    policy. But, this requires interoperability as the other party also
>    should treat this similar way. Today, we are solving this using
>    proprietary mechanism and works only with our solutions. When working
>    with other IPSEC solutions, data connections will follow the IPSEC
>    policy list to get the new security properties.
>
>    Do people see any requirement like this? If so, how do we solve
>    this problem such that it is interoperable?

this requirement needs,
1) set-up policies for all the connections. a separate policy for each 
connection.
2) Have one policy which protects the control connection + data connection.

First one is fair and simple . We have to treat like any other flow.

But in second case there my be some complexity in matching the policy and
handling the child connections.

Does anybody have a solution for interoperability?

-regards
-ramana