[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD policy document/article



At 10:58 AM -0800 11/22/02, Wes Hardaker wrote:
>  >>>>> On Fri, 22 Nov 2002 09:57:09 -0500, Stephen Kent <kent@bbn.com> said:
>
>Stephen> 2401 defines what a compliant IPsec implementation MUST
>Stephen> do. the IPsec WG is responsible for defining IPsec device
>Stephen> compliance. IPSP cannot define additional requirements for
>Stephen> what it means to be IPsec compliant without impinging on the
>Stephen> IPsec WG charter.
>
>The IPSP group doesn't mandate that you implement a SPD their way.
>You are right that to be compliant you only need to implement the
>minimum requirements of 2401.  The IPSP group has many things in their
>charter (including policy discovery, etc).  The model (and MIB/PIB
>extrapolations of it) are merely "one way" to implement the SPD.  It's
>not required that you do so to be a IPsec compliant device.  Now, if
>you want to be an IPsec compliant box which is compatible with other
>boxes for configuration of the SPD then you might have to conform to
>one of those other specs.  IE, IPsec WG = protocol; IPSP WG =
>interoperability configuration of the protocol.
>

It's obvious that there needs to be close coordination between what 
the SPD specifies and what IKE can negotiate, something that caused 
several last minute changes to 2401 and even then we didn't get it 
perfect. In developing  2401bis and IKE v2 we are working closely to 
ensure better coordination. So, if IPSP goes off and creates 
additions to the SPD separate from the work in the IPsec WG, where 
2401bis and IKEv2 are developed, don't you anticipate disconnects 
that will impair operation?

Steve