[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: an SPD syntax example

To: Charles Lynn <clynn@bbn.com>
Subject: Re: an SPD syntax example
From: Stephen Kent <kent@bbn.com>
Date: Mon, 2 Feb 2004 14:22:10 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: <20040202171959.5B43520520@wolfe.bbn.com>
References: <20040202170520.40BDF20520@wolfe.bbn.com><20040202171959.5B43520520@wolfe.bbn.com>
Sender: owner-ipsec@lists.tislabs.com

At 12:19 -0500 2/2/04, Charles Lynn wrote:
>Catching up...
>A few comments on the ongoing SPD syntax discussion, IKE, and 2401bis.
>
>>It is better to make this as close to IKEv2 Traffic Selector as
>>possible.
>
>I disagree :-) ... on the grounds that clarity and simplicity for the
>administrators promote better security.

Good point; clarity is better, so long as it is easily mapped to 
IKEv2 TS payloads.

>I think that the syntax should be designed to encourage a clear and
>concise specification of the types of traffic that should be protected.
>We should not be using a syntax that lets an administrator enter
>information that is non-sensical or inappropriate, as much as possible.
>The "software" can translate that format into whatever the key management
>protocol(s) use internally; the programmer only has to get the translation
>right once, the admin would have to do it for each SelectorSet.

yes, but let's keep the translation easy, or it will be done improperly.

>As an example, the IKEv2 syntax (which is an improvement over IKEv1,
>and which I do not think needs to be changed -- but does need to be
>"clarified") allows one protocol to be specified in the initiator
>traffic selectors and a totally different one to be specified in the
>responder traffic selectors -- something that is clearly wrong.

agreed. good example.

Firewalls distinguish between connection initiators and responders, 
but that may not be critical here, since that we have authentication 
for SA establishment, and integrity mechanism for continuous 
protection after SA establishment. So, for SAs the asymmetry may not 
be an issue.  Note that the current syntax I suggested does retain 
inbound vs. outbound distinctions for non-IPsec traffic, where we 
lack the protections noted above.

Let me suggest that you prepare an ASN.1 syntax example that meets 
the criteria you described in your message and bring it to the list, 
along with the explanation of how to map it to IKE TS payloads. We 
can work from there.

Steve

References:
- IKEv2 changes (was Re: Issue #76: TFC padding in ESPv3 and requirments for IKEv2)
  - From: Charles Lynn <clynn@bbn.com>
- Re: an SPD syntax example
  - From: Charles Lynn <clynn@bbn.com>

Prev by Date: Re: an SPD syntax example
Next by Date: RE: IANA document
Previous by thread: Re: an SPD syntax example
Next by thread: Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
Index(es):
- Date
- Thread