[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Policy requirements in Son-Of-IKE

To: ipsec@lists.tislabs.com
Subject: Policy requirements in Son-Of-IKE
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 22 Mar 2002 23:14:20 -0500
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


IKEv1 is a policy agreement protocol. It does not negotiate.

There are two ways that we can do with this.
      1) we can remove all policy from SOI. 
      2) we can improve policy so that we can negotiate in SOI.

There are good arguments for both paths. I strongly believe that we must 
decide this very soon.

If we go with path #1, then we must have a policy discovery and agreement
protocol. This was supposed to be solved by IPSP WG, but IPSP got forced into
doing this Policy Schema/PIB stuff. IPSP is only now starting on this. If the 
IPSEC WG wants to go route #1, then we MUST complete the IPSP WG on the same
schedule. IPSRA work will have to be redone as well.

(The PIB stuff doesn't help at all for inter-domain stuff, and I do not think
 it even helps for road-warrior/gateway. Maybe I'm wrong. )

If we go with path #2, then we need policy negotiation in SOI. I'm not
convinced that this will be rich enough to do the kinds of things that SPP
could do, but it MUST at least satisfy the VPN, remote access needs. It is
likely that it will satisfy Opportunistic Encryption needs as well. 

A method to deal with protocols like FTP (i.e. IRC, H323, SIP/AVP, etc.)
should be included in the requirements.

(Some gateway discovery protocol like SPP, TED, etc. will still have
value. A different form of OE can also be created with this kind of thing)

Again, we have to decide on the path to take. This is not a debate about
the proposals - it is clear to me that the protocol folks will cope.

Cheryl's 01 draft suggests improving policy (#2).

I think that most of the WG is siding with this. Not all. 
It would helpful if those who are in favour of #1 would:
    1) write drafts (not emails) explaining their view of the world.

    2) review the scenarios in the SOI requirements draft and explain how
       these things can be done. 

    3) join and help review the IPSP work.


]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [



PS: I'm a bit upset that any time was spent on presentations on Thursday
 morning. We should have spent the high bandwidth time in the small room
 on discussion about these things.

 I guess I should have read the agenda with more thought and objected to it.
 I wonder if an official interim meeting in late April would have value. 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPJwBGoqHRg3pndX9AQGz5QP/bBfLsR0H+wZIrxkUOTD5AO37KZdJ76LN
BOwAeV9FaY/8HzMCI+Njiex7Md4dCOTgzYGtNYtv3rtBKyrcxQSyh762fjsSVQBJ
IurdScYVYX/XL9sho9cjJYSJSSwGRtbvIoHC9QPnDYwF+if6bv1Nbe5jpkWnRLjd
OGguY1YqdQg=
=NNjD
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: divergent interpretations of IKE/IPsec - interop issues [should be Policy requirements in Son-Of-IKE]
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- RE: Policy requirements in Son-Of-IKE
  - From: "sankar ramamoorthi" <sankar@nexsi.com>
- Re: Policy requirements in Son-Of-IKE
  - From: Markku Savela <msa@burp.tkv.asdf.org>
- Re: Policy requirements in Son-Of-IKE
  - From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: divergent interpretations of IKE/IPsec - interop issues
Next by Date: Re: divergent interpretations of IKE/IPsec - interop issues
Prev by thread: No Subject
Next by thread: Re: divergent interpretations of IKE/IPsec - interop issues [should be Policy requirements in Son-Of-IKE]
Index(es):
- Date
- Thread