[midcom] notification of work that may help
Wes Hardaker <hardaker@tislabs.com> Thu, 05 December 2002 16:50 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19179 for <midcom-archive@odin.ietf.org>; Thu, 5 Dec 2002 11:50:51 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gB5GrFR05186 for midcom-archive@odin.ietf.org; Thu, 5 Dec 2002 11:53:15 -0500
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB5Gn7v04957; Thu, 5 Dec 2002 11:49:07 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB5Glhv04872 for <midcom@optimus.ietf.org>; Thu, 5 Dec 2002 11:47:43 -0500
Received: from localhost.localdomain (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19004 for <midcom@ietf.org>; Thu, 5 Dec 2002 11:44:47 -0500 (EST)
Received: (from hardaker@localhost) by localhost.localdomain (8.11.6/8.11.6) id gB5GlYf03121; Thu, 5 Dec 2002 08:47:34 -0800
To: midcom@ietf.org
From: Wes Hardaker <hardaker@tislabs.com>
X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8, r%F#c#s:~Nzp0G9](s?, K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4
Organization: Network Associates Laboratories
Date: Thu, 05 Dec 2002 08:47:34 -0800
Message-ID: <sd1y4wxvix.fsf@wanderer.hardakers.net>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.5 (brussels sprouts, i686-pc-linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [midcom] notification of work that may help
Sender: midcom-admin@ietf.org
Errors-To: midcom-admin@ietf.org
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Id: <midcom.ietf.org>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
I've been glancing over the rfc3304.txt and draft-ietf-midcom-protocol-eval-06.txt documents and thought you probably should be aware of some existing work within the IETF that may help you out (you'll likely need to build upon it, but you can use it as a good starting point). I haven't read either document cover to cover, so forgive me if I say something out of line. Much of these two documents discusses the need for required policy rules for packet filtering. There has been a lot of work in this area within the ip-security-policy (ipsp) working group. Specifically, I'm one of the authors of the IPSEC-POLICY-MIB which is a document that closely aligns with your work and you might consider looking at. For example, the following requirement: 2.2.8. The Midcom protocol must be able to carry filtering rules, including but not limited to the 5-tuple, from the midcom agent to the middlebox. By "5-tuple", we refer to the standard <source address, source port, destination address, destination port, transport protocol> tuple. Other filtering elements may be carried, as well. and the associated comments about SNMP in the evaluation document: 2.2.8 Transport of filtering rules SNMP: P+, RSIP: P+, Megaco: P+, Diameter: P+, COPS: P+ SNMP: This requirement can be met by an appropriate definition of a MIDCOM MIB module. SMI, the language used for defining MIB modules, is flexible enough to allow the implementation of a MIB module to meet the semantics of this requirement. These are filled in part or in total by the IPSEC-POLICY-MIB. (Don't let the "IPSEC" in the name confuse you. It's not IPSEC-specific). The IPSEC-POLICY-MIB can be divided into 2 parts: a policy rules section for processing packets using rules, filters, and actions. The other 2/3rds of the MIB is devoted to IPsec specific actions (start an SA, start an IKE transaction, ...). There is a very deliberate delineation between the packet processing portion of the MIB and the IPsec specific actions. Specifically, the packet processing rules are really just a firewall configuration section (there are standard actions for "drop packet" and "accept packet" as well). There are numerous filtering mechanisms in place within the MIB, such as the ipHeaderFilterTable which directly meets the 2.2.8 requirement above and the timeFilterTable which may meet other of your requirements. The MIB is deliberately very extensible, and new filters and actions can be defined in external documents so that if you wanted to base your work on it's packet and rule processing system but needed some extra filters, it would be easy to do so. All of this work is in alignment with the policy models being developed within the Policy Framework working group, the IPSP WG, and the DMTF. I mention this because it looks like you refer to parts of these data models in your documents at times. Finally, there is also a IPSEC-POLICY-PIB for COPS also being published in the IPSP working group. I don't know if it is extensible and reusable as the MIB as I haven't given it a review lately. We designed the MIB to be a generic firewall configuration engine, but I don't know if the PIB authors had the same goal. There is also a working reference-release implementation for the MIB on linux, as well as a manager that should run on just about any platform. See http://net-policy.sourceforge.net/ for details on that particular project. -- Wes Hardaker Network Associates Laboratories _______________________________________________ midcom mailing list midcom@ietf.org https://www1.ietf.org/mailman/listinfo/midcom
- [midcom] notification of work that may help Wes Hardaker