[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Classification engine and IPSEC
HI, Sreeni
>Hi,
> There are some difficult protocols such as FTP, H.323, RTSP, SIP etc..
> These protocols have control connection and several data connections.
> Control connection uses standard service port. But data connections
> use ephemeral ports, which are negotiated during the control
> connection. For example, FTP data connection information goes
> as part of 'PORT' command of control connection.
>
> IPSEC SPD policies can be defined based on transport selectors
> such as 'source' and 'dest' ports (ranges) along with IP addresses.
>
> We see requirement that all packets belonging to a flow
> (control and data connections ) should have same security properties.
> That is, only one IPSEC policy defined for the service and all
> child connections (data connections ) should also use the same
> policy. But, this requires interoperability as the other party also
> should treat this similar way. Today, we are solving this using
> proprietary mechanism and works only with our solutions. When working
> with other IPSEC solutions, data connections will follow the IPSEC
> policy list to get the new security properties.
>
> Do people see any requirement like this? If so, how do we solve
> this problem such that it is interoperable?
this requirement needs,
1) set-up policies for all the connections. a separate policy for each
connection.
2) Have one policy which protects the control connection + data connection.
First one is fair and simple . We have to treat like any other flow.
But in second case there my be some complexity in matching the policy and
handling the child connections.
Does anybody have a solution for interoperability?
-regards
-ramana