[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SPD policy document/article

To: <rcharlet@SonicWALL.com>, <kent@bbn.com>, <hardaker@tislabs.com>
Subject: RE: SPD policy document/article
From: "Casey Carr" <caseyc@cipheroptics.com>
Date: Fri, 22 Nov 2002 15:55:16 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <F4FC57B40BEE6E418CF222DCF8D5546508C271@USEXCH3.us.sonicwall.com>
Sender: owner-ipsec@lists.tislabs.com

We have made use of the IPSP policy model but we have not maintained our
implementation in lock step with the draft revisions.  Implementing the MIB
is a possibility for us but it would have to be a customer driven
requirement because we are using a proprietary Web interface to manage our
device.  We are moving toward integration with third party network
management products using an XML implementation of the model.
We used the IPSP policy model in the following fashion:
1)	We created a proprietary XML schema based on the model.
2)	Implemented a set of runtime CPP classes that implement the model
3)	These classes are instantiated at runtime via parsing of an XML file
using Xerces.
4)	This instantiated policy model is then used for all modifications to
IPSec policy within our device.
5)	Changes to the model are saved to XML files.
6)	The runtime instantiated policy is used to populate runtime SPD and
initialize the IKE runtime library.
7)	We also implemented serialization of the model instance for remote
procedure calls via TCP sockets.

BTW, I agree with Ricky.  This model did give us a more concrete way of
dealing with IPSec policies. Mapping this model to our 2401 compliant SPD
implementation was straight forward (well more like painful but doable).
I'm guessing that the model was very useful for MIB/PIB writers.
Our goal in choosing this path was to try to at least give ourselves a
chance at being standards based if this group successfully produced RFC
documents.  If there is market demand for implementing the IPSP MIB, it
should be doable for us because are management is based on the model.  If
there is any interest in the working group for standardizing the XML schema
I would like to hear about it.  I can here the groans now.  "Why didn't you
just use the MIB?"  We had are reasons, I'm still convinced we made the
right choice but time will tell.  We do include an SNMP agent and trap
generation in our product, just not SNMP device configuration.
Can anyone name a single network management platform that uses a standard
SNMP MIB for configuration management that works across multiple vendors?
If so, what was the effort level required between the device and NM platform
vendor to actually get it to work.  If you are going to write device
specific/vendor specific code for configuration management, my personal
opinion is that SNMP is a very ineffective protocol to accomplish the task.

 -----Original Message-----
From: 	owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]
On Behalf Of rcharlet@SonicWALL.com
Sent:	Friday, November 22, 2002 1:03 PM
To:	kent@bbn.com; hardaker@tislabs.com
Cc:	ipsec@lists.tislabs.com
Subject:	RE: SPD policy document/article

Howdy,

	Maybe more than AD clarification... Realize also that the IPSP work toward
developing an IPsec configuration policy model (from which the configuration
PIB and MIB flow) was a co-effort between IETF and DMTF.

	For perspective sake, the task of configuring differing vendors conformant
IPsec implementations was divergent enough to seem to require a unified
configuration model before work towards multi-vendor confiugration
management tools could be realistic.

	The existing configuration model includes several configuration notions not
required by 2401 but judged by the authors (IETF and DMTF folks) to merrit
inclusion based on (I assume) their deployment expriences.

	Personally, I am very curious if anyone has made use of the Policy Model,
the PIB or the MIB. NAI's (Wes's group's) implemntation of the MIB to
configure an IPsec implementation is the only example I know of.

--
Ricky Charlet    rcharlet@alumni.calpoly.edu    USA (408) 962-8711

-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Friday, November 22, 2002 6:57 AM
To: Wes Hardaker
Cc: ipsec@lists.tislabs.com; smb@research.att.com; jis@mit.edu
Subject: Re: SPD policy document/article

At 10:39 PM -0800 11/21/02, Wes Hardaker wrote:
>  >>>>> On Thu, 21 Nov 2002 19:21:05 -0500, Stephen Kent <kent@bbn.com>
said:
>
>Stephen> RFC 2401 establishes the standard for the minimum required
>Stephen> data elements for the SPD used in IPsec, and then defines how
>Stephen> a conformant IPsec implementation uses this data. So, I
>Stephen> assume your comments are referring to other protocols, right?
>
>RFC2401 does talk about the SPD but in a very minimal context.  The
>IPSP work is intended to define Ipsec Security Policy in greater detail.
>
>--
>Wes Hardaker
>Network Associates Laboratories

Wes,

2401 defines what a compliant IPsec implementation MUST do. the IPsec
WG is responsible for defining IPsec device compliance. IPSP cannot
define additional requirements for what it means to be IPsec
compliant without impinging on the IPsec WG charter. I thought IPSP
was responsible to protocols for policy negotiation, for higher level
policy definition, etc., but not for policy at the level of detail
that the SPD, since that would result in 2 WGs with responsibility
for the same data structure.  Maybe we need AD clarification here.

Steve

Follow-Ups:
- Re: SPD policy document/article
  - From: Wes Hardaker <hardaker@tislabs.com>

References:
- RE: SPD policy document/article
  - From: rcharlet@SonicWALL.com

Prev by Date: RE: Counter Mode Security: Attacks, Storage & a Proposal
Next by Date: Re: SPD policy document/article
Prev by thread: Re: SPD policy document/article
Next by thread: Re: SPD policy document/article
Index(es):
- Date
- Thread