Re: Policy requirements in Son-Of-IKE
Jan Vilhuber <vilhuber@cisco.com> Tue, 26 March 2002 00:06 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2Q06c429008; Mon, 25 Mar 2002 16:06:38 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA16994 Mon, 25 Mar 2002 18:31:10 -0500 (EST)
Date: Mon, 25 Mar 2002 15:42:35 -0800
From: Jan Vilhuber <vilhuber@cisco.com>
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
cc: ipsec@lists.tislabs.com
Subject: Re: Policy requirements in Son-Of-IKE
In-Reply-To: <200203230414.g2N4ELU01017@marajade.sandelman.ottawa.on.ca>
Message-ID: <Pine.LNX.4.33.0203251539530.7451-100000@janpc-home.cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Fri, 22 Mar 2002, Michael Richardson wrote: > > IKEv1 is a policy agreement protocol. It does not negotiate. > > There are two ways that we can do with this. > 1) we can remove all policy from SOI. > 2) we can improve policy so that we can negotiate in SOI. > > There are good arguments for both paths. I strongly believe that we must > decide this very soon. > > If we go with path #1, then we must have a policy discovery and agreement > protocol. This was supposed to be solved by IPSP WG, but IPSP got forced into > doing this Policy Schema/PIB stuff. IPSP is only now starting on this. If the > IPSEC WG wants to go route #1, then we MUST complete the IPSP WG on the same > schedule. IPSRA work will have to be redone as well. > > (The PIB stuff doesn't help at all for inter-domain stuff, and I do not think > it even helps for road-warrior/gateway. Maybe I'm wrong. ) > > If we go with path #2, then we need policy negotiation in SOI. At the last IETF, Pyda Srisuresh presented a draft he wrote (and I contributed to) in the IPSP working group. We tried to float this in the IPsec WG as well, I believe. It seems neither group was interested. I've placed the expired draft here, in case anyone's interested: http://www.employees.org/~vilhuber/draft-srisuresh-ike-policy-extensions-01.txt I don't think it's QUITE what you're looking for, but maybe there's some decent ideas there we can incorporate at some point. jan > I'm not > convinced that this will be rich enough to do the kinds of things that SPP > could do, but it MUST at least satisfy the VPN, remote access needs. It is > likely that it will satisfy Opportunistic Encryption needs as well. > > A method to deal with protocols like FTP (i.e. IRC, H323, SIP/AVP, etc.) > should be included in the requirements. > > (Some gateway discovery protocol like SPP, TED, etc. will still have > value. A different form of OE can also be created with this kind of thing) > > Again, we have to decide on the path to take. This is not a debate about > the proposals - it is clear to me that the protocol folks will cope. > > Cheryl's 01 draft suggests improving policy (#2). > > I think that most of the WG is siding with this. Not all. > It would helpful if those who are in favour of #1 would: > 1) write drafts (not emails) explaining their view of the world. > > 2) review the scenarios in the SOI requirements draft and explain how > these things can be done. > > 3) join and help review the IPSP work. > > > ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ > ] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [ > > > > PS: I'm a bit upset that any time was spent on presentations on Thursday > morning. We should have spent the high bandwidth time in the small room > on discussion about these things. > > I guess I should have read the agenda with more thought and objected to it. > I wonder if an official interim meeting in late April would have value. > -- Jan Vilhuber vilhuber@cisco.com Cisco Systems, San Jose (408) 527-0847
- Policy requirements in Son-Of-IKE Michael Richardson
- RE: Policy requirements in Son-Of-IKE sankar ramamoorthi
- Re: Policy requirements in Son-Of-IKE Markku Savela
- Re: Policy requirements in Son-Of-IKE Jan Vilhuber
- Re: Policy requirements in Son-Of-IKE Jan Vilhuber
- Re: Policy requirements in Son-Of-IKE Scott G. Kelly