[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Policy requirements in Son-Of-IKE
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Michael Richardson
> Sent: Friday, March 22, 2002 8:14 PM
> To: ipsec@lists.tislabs.com
> Subject: Policy requirements in Son-Of-IKE
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> IKEv1 is a policy agreement protocol. It does not negotiate.
>
> There are two ways that we can do with this.
> 1) we can remove all policy from SOI.
> 2) we can improve policy so that we can negotiate in SOI.
>
> There are good arguments for both paths. I strongly believe that we must
> decide this very soon.
>
> If we go with path #1, then we must have a policy discovery and agreement
> protocol. This was supposed to be solved by IPSP WG, but IPSP got
> forced into
> doing this Policy Schema/PIB stuff. IPSP is only now starting on
> this. If the
> IPSEC WG wants to go route #1, then we MUST complete the IPSP WG
> on the same
> schedule. IPSRA work will have to be redone as well.
just for completeness..(personally not in favor of the approach).
some of the emails in the discussion thread also indicated a desire to
completely delink policy from IKE and make it part of the local fw or
other subsystem implementation. In this case the mismatched SAs are detected
not during SA establishment, but during runtime. This approach requires
standardized ways in ipsec to report to the peer about the mismatch
(to avoid blackhole problems).
-- sankar --