[midcom] notification of work that may help
Wes Hardaker <hardaker@tislabs.com> Thu, 05 December 2002 16:50 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19179 for <midcom-archive@odin.ietf.org>; Thu, 5 Dec 2002 11:50:51 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gB5GrFR05186 for midcom-archive@odin.ietf.org; Thu, 5 Dec 2002 11:53:15 -0500
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB5Gn7v04957; Thu, 5 Dec 2002 11:49:07 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB5Glhv04872 for <midcom@optimus.ietf.org>; Thu, 5 Dec 2002 11:47:43 -0500
Received: from localhost.localdomain (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19004 for <midcom@ietf.org>; Thu, 5 Dec 2002 11:44:47 -0500 (EST)
Received: (from hardaker@localhost) by localhost.localdomain (8.11.6/8.11.6) id gB5GlYf03121; Thu, 5 Dec 2002 08:47:34 -0800
To: midcom@ietf.org
From: Wes Hardaker <hardaker@tislabs.com>
X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8, r%F#c#s:~Nzp0G9](s?, K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4
Organization: Network Associates Laboratories
Date: Thu, 05 Dec 2002 08:47:34 -0800
Message-ID: <sd1y4wxvix.fsf@wanderer.hardakers.net>
User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.5 (brussels sprouts, i686-pc-linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: [midcom] notification of work that may help
Sender: midcom-admin@ietf.org
Errors-To: midcom-admin@ietf.org
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Id: <midcom.ietf.org>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
I've been glancing over the rfc3304.txt and
draft-ietf-midcom-protocol-eval-06.txt documents and thought you
probably should be aware of some existing work within the IETF that
may help you out (you'll likely need to build upon it, but you can use
it as a good starting point). I haven't read either document cover to
cover, so forgive me if I say something out of line.
Much of these two documents discusses the need for required policy
rules for packet filtering. There has been a lot of work in this area
within the ip-security-policy (ipsp) working group. Specifically, I'm
one of the authors of the IPSEC-POLICY-MIB which is a document that
closely aligns with your work and you might consider looking at. For
example, the following requirement:
2.2.8.
The Midcom protocol must be able to carry filtering rules,
including but not limited to the 5-tuple, from the midcom agent
to the middlebox.
By "5-tuple", we refer to the standard <source address, source
port, destination address, destination port, transport protocol>
tuple. Other filtering elements may be carried, as well.
and the associated comments about SNMP in the evaluation document:
2.2.8 Transport of filtering rules
SNMP: P+, RSIP: P+, Megaco: P+, Diameter: P+, COPS: P+
SNMP: This requirement can be met by an appropriate definition of a
MIDCOM MIB module. SMI, the language used for defining MIB modules,
is flexible enough to allow the implementation of a MIB module to
meet the semantics of this requirement.
These are filled in part or in total by the IPSEC-POLICY-MIB. (Don't
let the "IPSEC" in the name confuse you. It's not IPSEC-specific).
The IPSEC-POLICY-MIB can be divided into 2 parts: a policy rules
section for processing packets using rules, filters, and actions.
The other 2/3rds of the MIB is devoted to IPsec specific actions
(start an SA, start an IKE transaction, ...). There is a very
deliberate delineation between the packet processing portion of the
MIB and the IPsec specific actions. Specifically, the packet
processing rules are really just a firewall configuration section
(there are standard actions for "drop packet" and "accept packet" as
well). There are numerous filtering mechanisms in place within the
MIB, such as the ipHeaderFilterTable which directly meets the 2.2.8
requirement above and the timeFilterTable which may meet other of your
requirements.
The MIB is deliberately very extensible, and new filters and actions
can be defined in external documents so that if you wanted to base
your work on it's packet and rule processing system but needed some
extra filters, it would be easy to do so.
All of this work is in alignment with the policy models being
developed within the Policy Framework working group, the IPSP WG, and
the DMTF. I mention this because it looks like you refer to parts of
these data models in your documents at times.
Finally, there is also a IPSEC-POLICY-PIB for COPS also being
published in the IPSP working group. I don't know if it is extensible
and reusable as the MIB as I haven't given it a review lately. We
designed the MIB to be a generic firewall configuration engine, but I
don't know if the PIB authors had the same goal.
There is also a working reference-release implementation for the MIB
on linux, as well as a manager that should run on just about any
platform. See http://net-policy.sourceforge.net/ for details on that
particular project.
--
Wes Hardaker
Network Associates Laboratories
_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom
- [midcom] notification of work that may help Wes Hardaker