[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD policy document/article
At 10:58 AM -0800 11/22/02, Wes Hardaker wrote:
> >>>>> On Fri, 22 Nov 2002 09:57:09 -0500, Stephen Kent <kent@bbn.com> said:
>
>Stephen> 2401 defines what a compliant IPsec implementation MUST
>Stephen> do. the IPsec WG is responsible for defining IPsec device
>Stephen> compliance. IPSP cannot define additional requirements for
>Stephen> what it means to be IPsec compliant without impinging on the
>Stephen> IPsec WG charter.
>
>The IPSP group doesn't mandate that you implement a SPD their way.
>You are right that to be compliant you only need to implement the
>minimum requirements of 2401. The IPSP group has many things in their
>charter (including policy discovery, etc). The model (and MIB/PIB
>extrapolations of it) are merely "one way" to implement the SPD. It's
>not required that you do so to be a IPsec compliant device. Now, if
>you want to be an IPsec compliant box which is compatible with other
>boxes for configuration of the SPD then you might have to conform to
>one of those other specs. IE, IPsec WG = protocol; IPSP WG =
>interoperability configuration of the protocol.
>
It's obvious that there needs to be close coordination between what
the SPD specifies and what IKE can negotiate, something that caused
several last minute changes to 2401 and even then we didn't get it
perfect. In developing 2401bis and IKE v2 we are working closely to
ensure better coordination. So, if IPSP goes off and creates
additions to the SPD separate from the work in the IPsec WG, where
2401bis and IKEv2 are developed, don't you anticipate disconnects
that will impair operation?
Steve