[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SPD policy document/article

To: <kent@bbn.com>, <hardaker@tislabs.com>
Subject: RE: SPD policy document/article
From: rcharlet@SonicWALL.com
Date: Fri, 22 Nov 2002 10:03:29 -0800
Cc: <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcKSRfrKbqilxHcmSP+GKwHLV1PDRQACM5fg
Thread-Topic: SPD policy document/article

Howdy,

	Maybe more than AD clarification... Realize also that the IPSP work toward developing an IPsec configuration policy model (from which the configuration PIB and MIB flow) was a co-effort between IETF and DMTF. 

	For perspective sake, the task of configuring differing vendors conformant IPsec implementations was divergent enough to seem to require a unified configuration model before work towards multi-vendor confiugration management tools could be realistic.

	The existing configuration model includes several configuration notions not required by 2401 but judged by the authors (IETF and DMTF folks) to merrit inclusion based on (I assume) their deployment expriences.

	Personally, I am very curious if anyone has made use of the Policy Model, the PIB or the MIB. NAI's (Wes's group's) implemntation of the MIB to configure an IPsec implementation is the only example I know of.

--
Ricky Charlet    rcharlet@alumni.calpoly.edu    USA (408) 962-8711



-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Friday, November 22, 2002 6:57 AM
To: Wes Hardaker
Cc: ipsec@lists.tislabs.com; smb@research.att.com; jis@mit.edu
Subject: Re: SPD policy document/article


At 10:39 PM -0800 11/21/02, Wes Hardaker wrote:
>  >>>>> On Thu, 21 Nov 2002 19:21:05 -0500, Stephen Kent <kent@bbn.com> said:
>
>Stephen> RFC 2401 establishes the standard for the minimum required
>Stephen> data elements for the SPD used in IPsec, and then defines how
>Stephen> a conformant IPsec implementation uses this data. So, I
>Stephen> assume your comments are referring to other protocols, right?
>
>RFC2401 does talk about the SPD but in a very minimal context.  The
>IPSP work is intended to define Ipsec Security Policy in greater detail.
>
>--
>Wes Hardaker
>Network Associates Laboratories

Wes,

2401 defines what a compliant IPsec implementation MUST do. the IPsec 
WG is responsible for defining IPsec device compliance. IPSP cannot 
define additional requirements for what it means to be IPsec 
compliant without impinging on the IPsec WG charter. I thought IPSP 
was responsible to protocols for policy negotiation, for higher level 
policy definition, etc., but not for policy at the level of detail 
that the SPD, since that would result in 2 WGs with responsibility 
for the same data structure.  Maybe we need AD clarification here.

Steve

Follow-Ups:
- RE: SPD policy document/article
  - From: "Casey Carr" <caseyc@cipheroptics.com>

Prev by Date: Re: Counter Mode Security: Analysis and Recommendations
Next by Date: RE: Counter Mode Security: Analysis and Recommendations
Prev by thread: Re: SPD policy document/article
Next by thread: Re: SPD policy document/article
Index(es):
- Date
- Thread