From owner-ipsec-policy@mail.vpnc.org Mon Jul 2 12:13:58 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA04383 for ; Mon, 2 Jul 2001 12:13:57 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f62FHRS21138 for ipsec-policy-bks; Mon, 2 Jul 2001 08:17:27 -0700 (PDT) Received: from smtp1.cluster.oleane.net (smtp1.cluster.oleane.net [195.25.12.16]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f62FHPm21129 for ; Mon, 2 Jul 2001 08:17:25 -0700 (PDT) Received: from oleane (upper-side.rain.fr [194.250.212.114]) by smtp1.cluster.oleane.net with SMTP id f62FHOo70732 for ; Mon, 2 Jul 2001 17:17:25 +0200 (CEST) Message-ID: <004d01c10309$f8f0bc80$0601a8c0@oleane.com> From: "Peter Lewis" To: Subject: IPSec Global Summit Date: Mon, 2 Jul 2001 17:16:29 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_004A_01C1031A.BBE27CA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This is a multi-part message in MIME format. ------=_NextPart_000_004A_01C1031A.BBE27CA0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable The third annual IPSec Global Summit will take place in Paris October 23 = through 26, 2001.=20 http://www.upperside.fr/ipsec2001/ipsec01intro.htm ------=_NextPart_000_004A_01C1031A.BBE27CA0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

The third annual IPSec Global Summit will take place = in Paris=20 October 23 through 26, 2001.

http://www.up= perside.fr/ipsec2001/ipsec01intro.htm

------=_NextPart_000_004A_01C1031A.BBE27CA0-- From owner-ipsec-policy@mail.vpnc.org Tue Jul 10 11:44:16 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA04367 for ; Tue, 10 Jul 2001 11:44:15 -0400 (EDT) Received: by above.proper.com (8.11.3/8.11.3) id f6AEPPb12753 for ipsec-policy-bks; Tue, 10 Jul 2001 07:25:25 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6AEPLm12747 for ; Tue, 10 Jul 2001 07:25:21 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA00239; Tue, 10 Jul 2001 10:24:31 -0400 (EDT) Message-Id: <200107101424.KAA00239@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec-policy@vpnc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsp-requirements-01.txt Date: Tue, 10 Jul 2001 10:24:31 -0400 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Policy Working Group of the IETF. Title : IPSP Requirements Author(s) : M. Blaze, A. Keromytis, M. Richardson, L. Sanchez Filename : draft-ietf-ipsp-requirements-01.txt Pages : Date : 09-Jul-01 This document describes the problem and solution requirements for the IPsec Policy Protocol. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsp-requirements-01.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsp-requirements-01.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsp-requirements-01.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010709103419.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsp-requirements-01.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsp-requirements-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010709103419.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec-policy@mail.vpnc.org Wed Jul 18 18:09:08 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA17497 for ; Wed, 18 Jul 2001 18:09:07 -0400 (EDT) Received: by above.proper.com (8.11.3/8.11.3) id f6IK91h13765 for ipsec-policy-bks; Wed, 18 Jul 2001 13:09:01 -0700 (PDT) Received: from rebma.mikesoffice.com (adsl-63-195-146-66.dsl.scrm01.pacbell.net [63.195.146.66]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6IK90q13761 for ; Wed, 18 Jul 2001 13:09:00 -0700 (PDT) Received: (from baerm@localhost) by rebma.mikesoffice.com (8.9.3/8.9.3) id NAA17127; Wed, 18 Jul 2001 13:08:26 -0700 X-Authentication-Warning: rebma.mikesoffice.com: baerm set sender to baerm@mikesoffice.com using -f To: ipsec-policy@vpnc.org Subject: ipsp-config-policy-model Questions From: Michael Baer Organization: NAI Labs Date: 18 Jul 2001 13:08:25 -0700 Message-ID: <86k816gfuu.fsf@mikesoffice.com> Lines: 50 User-Agent: Gnus/5.090003 (Oort Gnus v0.03) XEmacs/21.4 (Copyleft) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Hi, I've been involved in trying to create a SNMP MIB that is based off of the ipsp-config-policy-model and have come up with some questions/comments regarding the current model. For PreconfiguredSAAction's several extra values seem to be needed beyond what is currently in the model: A AH key value. The AH key length. A AH IV value and the IV length. ESP key value(s) (auth and encrypt) and the key lengths. ESP IV values and the IV lengths. For SATransform, sub-class ESPTransform has values for the number of key rounds with an indication this may be useful in future ESP algorithms. Would this hold true for future AH algorithms as well? (in which case the AHTransform class should have a key rounds value) And would the key rounds value be necessary for both future authentication and encryption algorithms within ESP (in which case two key rounds values may be necessary for the ESPTransform class) In a given set of SATransforms within a negotiated SA Action, there could be as many as 3 different values for maxLifetimeSeconds and maxLifetimeKilobytes (one set from each of a AHTransform, ESPTransform, and IPcomp Transform) for an SA. I would assume that the minimum of the 3 value from each of these would be the value to use, but this should probably be explicitly stated somewhere in the model (maybe in the SATransform class or the IPsecProposal class?). In the SAStaticAction Class a similar problem exists. Including the value from SAStaticAction, the value from the sub-class PreconfiguredSAAction and the values from possibly 3 different SATransform objects, 4 different values of maxLifetimeSeconds and maxLifetimeKilobytes can exist for an SA. Should the PreconfiguredSAAction's object lifetime values override the SATransforms lifetime values or should the minimum of the 4 possible values be used? or possibly a different method? I see advantages to either method above, but one should probably be stated in the model. -- Michael Baer baerm@mikesoffice.com NAI Labs From owner-ipsec-policy@mail.vpnc.org Wed Jul 18 20:24:07 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA15730 for ; Wed, 18 Jul 2001 20:24:06 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6IMhpX18186 for ipsec-policy-bks; Wed, 18 Jul 2001 15:43:51 -0700 (PDT) Received: from wanderer.hardakers.net (IDENT:root@dns2.hardaker.davis.ca.us [168.150.190.2]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6IMhlq18182 for ; Wed, 18 Jul 2001 15:43:48 -0700 (PDT) Received: (from hardaker@localhost) by wanderer.hardakers.net (8.11.2/8.11.2) id f6IMcgN01313; Wed, 18 Jul 2001 15:38:42 -0700 X-Authentication-Warning: wanderer.hardakers.net: hardaker set sender to wes@hardakers.net using -f To: Cc: "IPSec Policy WG" Subject: Re: IPSEC-POLICY-MIB - Negotiation actions References: From: Wes Hardaker X-URL: http://dcas.ucdavis.edu/~hardaker Organization: Network Associates - NAI Labs X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Date: Wed, 18 Jul 2001 14:46:07 -0700 In-Reply-To: ("Casey Carr"'s message of "Wed, 9 May 2001 11:05:53 -0400") Message-ID: User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.2 (Terspichore) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 141 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> On Wed, 9 May 2001 11:05:53 -0400, "Casey Carr" said: Casey> I'm concerned about the apparent deviation from the IPSec Casey> Policy model that the IPSEC-POLICY-MIB has taken with regards Casey> to SANegotiatedActions. Casey> The NegotiationAction table contains the sanIKEActionName and Casey> sanIPsecActionName. Casey, I've fixed in the copy of the MIB that will be published by Friday's ID deadline. The saNegotiationAction table no longer exists and the ikeActionTable and ipsecActionTable should be pointed to directly be the action related row pointers. I have, however, kept the lifetime parameters separate for the time being in a replacement of the saNegotationAction table which has been renamed to "saNegotationParametersTable" and the pointer columns removed (and pointer columns were added to the ikeActionTable and ipsecActionTable). My view on this is that the reuse in this case is probably warranted as it's likely that administrators would want to globally define lifetime parameters that they feel are acceptable and that they'll likely not only want to have both the ike and ipsec related actions be able to reuse those same definitions, but multiple independent actions of the same time (eg, ike and ike) will likely want to use the same values as well. This provides for easy changing of the lifetime parameters at a more global location. However, if the WG disagrees with me on this I'd be happy to duplicate the columns in the other two action tables and move on. Let me know... Here's the new table breakdown of the 3 tables discussed: +--saNegotiationParametersTable(11) | +--saNegotiationParametersEntry(1) | Index: sanActionParametersName | +-- CR-- String sanActionParametersName(1) | Textual Convention: SnmpAdminString | Size: 1..32 +-- CR-- String sanActionDescription(2) | Size: 0..255 +-- CR-- Integer32 sanMinimumLifetimeSeconds(3) +-- CR-- Integer32 sanMinimumLifetimeKB(4) +-- CR-- Integer32 sanRefreshThresholdSeconds(5) +-- CR-- Integer32 sanRefreshThresholdKB(6) +-- CR-- Integer32 sanIdleDurrationSeconds(7) +-- -R-- TimeTicks sanLastChanged(8) | Textual Convention: TimeStamp +-- CR-- EnumVal sanStorageType(9) | Textual Convention: StorageType | Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5) +-- CR-- EnumVal sanRowStatus(10) Textual Convention: RowStatus Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6) +--ikeActionTable(12) | +--ikeActionEntry(1) | Index: ikeActionName | +-- ---- String ikeActionName(1) | Textual Convention: SnmpAdminString | Size: 1..32 +-- ---- String ikeActionParametersName(2) | Textual Convention: SnmpAdminString | Size: 1..32 +-- CR-- Integer32 ikeThresholdDerivedKeys(3) | Range: 0..100 +-- CR-- EnumVal ikeExchangeMode(4) | Values: main(1), agressive(2) +-- CR-- EnumVal ikeAgressiveModeGroupId(5) | Textual Convention: IkeGroupDescription | Values: reserved(0), modp768(1), modp1024(2), ec2nGF155(3), ec2nGF185(4), ec2nGF163Random(6), ec2nGF163Koblitz(7), ec2nGF283Random(8), ec2nGF283Koblitz(9), ec2nGF409Random(10), ec2nGF409Koblitz(11), ec2nGF571Random(12), ec2nGF571Koblitz(13) +-- CR-- String ikeProposalName(6) | Textual Convention: SnmpAdminString | Size: 1..32 +-- CR-- String ikeIdentityName(7) | Textual Convention: SnmpAdminString | Size: 1..32 +-- -R-- TimeTicks ikeActionLastChange(8) | Textual Convention: TimeStamp +-- CR-- EnumVal ikeActionStorageType(9) | Textual Convention: StorageType | Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5) +-- CR-- EnumVal ikeActionRowStatus(10) Textual Convention: RowStatus Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6) +--ipsecActionTable(14) | +--ipsecActionEntry(1) | Index: ipsecActionName | +-- ---- String ipsecActionName(1) | Textual Convention: SnmpAdminString | Size: 1..32 +-- ---- String ipsecActionParametersName(2) | Textual Convention: SnmpAdminString | Size: 1..32 +-- CR-- String ipsecProposalName(3) | Textual Convention: SnmpAdminString | Size: 1..32 +-- CR-- EnumVal ipsecUsePfs(4) | Textual Convention: TruthValue | Values: true(1), false(2) +-- CR-- String ipsecVendorId(5) | Size: 0..255 +-- CR-- EnumVal ipsecGroupId(6) | Textual Convention: IkeGroupDescription | Values: reserved(0), modp768(1), modp1024(2), ec2nGF155(3), ec2nGF185(4), ec2nGF163Random(6), ec2nGF163Koblitz(7), ec2nGF283Random(8), ec2nGF283Koblitz(9), ec2nGF409Random(10), ec2nGF409Koblitz(11), ec2nGF571Random(12), ec2nGF571Koblitz(13) +-- CR-- EnumVal ipsecUseIkeGroup(7) | Textual Convention: TruthValue | Values: true(1), false(2) +-- CR-- EnumVal ipsecGranularity(8) | Values: wideSelector(1), narrowSelector(2) +-- CR-- EnumVal ipsecMode(9) | Values: tunnel(1), transport(2) +-- CR-- EnumVal ipsecDFHandling(10) | Values: copy(1), set(2), clear(3) +-- -R-- TimeTicks ipsecActionLastChange(11) | Textual Convention: TimeStamp +-- CR-- EnumVal ipsecActionStorageType(12) | Textual Convention: StorageType | Values: other(1), volatile(2), nonVolatile(3), permanent(4), readOnly(5) +-- CR-- EnumVal ipsecActionRowStatus(13) Textual Convention: RowStatus Values: active(1), notInService(2), notReady(3), createAndGo(4), createAndWait(5), destroy(6) -- Wes Hardaker NAI Labs Network Associates From owner-ipsec-policy@mail.vpnc.org Thu Jul 19 09:29:21 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA28735 for ; Thu, 19 Jul 2001 09:29:20 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6JC6Ga08851 for ipsec-policy-bks; Thu, 19 Jul 2001 05:06:16 -0700 (PDT) Received: from cisco.com (brussels.cisco.com [144.254.15.68]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6JC6Eq08845 for ; Thu, 19 Jul 2001 05:06:14 -0700 (PDT) Received: from EVYNCKE-W2K.cisco.com (dhcp-bru-mta-64-103-9-37.cisco.com [64.103.9.37]) by cisco.com (8.8.8+Sun/8.8.8) with ESMTP id OAA10369; Thu, 19 Jul 2001 14:06:02 +0200 (MET DST) Message-Id: <4.3.2.7.2.20010719131734.0202ff00@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 19 Jul 2001 14:05:58 -0700 To: Michael Baer From: Eric Vyncke Subject: Re: ipsp-config-policy-model Questions Cc: ipsec-policy@vpnc.org In-Reply-To: <86k816gfuu.fsf@mikesoffice.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: At 13:08 18/07/2001 -0700, Michael Baer wrote: >Hi, I've been involved in trying to create a SNMP MIB that is based >off of the ipsp-config-policy-model and have come up with some >questions/comments regarding the current model. > >For PreconfiguredSAAction's several extra values seem to be needed >beyond what is currently in the model: > >A AH key value. The AH key length. >A AH IV value and the IV length. >ESP key value(s) (auth and encrypt) and the key lengths. >ESP IV values and the IV lengths. > The key values are in the external class SharedSecret as explained the section about PreconfiguredSAAction. The key length can be derived from the length of the value of the SharedSecret. I'll update the I-D regarding the TWO keys needed for ESP (auth & encrypt), thanks for spotting this mistake. Another addition is about the number of key rounds ;-) My understanding of the IV is that the IV is per packet (either explicit or implicit) and hence is not part of the SA itself. >For SATransform, sub-class ESPTransform has values for the number of >key rounds with an indication this may be useful in future ESP >algorithms. Would this hold true for future AH algorithms as well? (in >which case the AHTransform class should have a key rounds value) I didn't find any relevant information by doing a quick browse through the IPSec RFC. But, assuming that the HMAC is using a cipher mechanism, the number of rounds should be part of the AHTransform. I'm just uneasy to change the I-D right now (deadline is in 2 days)... >And would the key rounds value be necessary for both future >authentication and encryption algorithms within ESP (in which case two >key rounds values may be necessary for the ESPTransform class) > > > >In a given set of SATransforms within a negotiated SA Action, there >could be as many as 3 different values for maxLifetimeSeconds and >maxLifetimeKilobytes (one set from each of a AHTransform, >ESPTransform, and IPcomp Transform) for an SA. I would assume that the >minimum of the 3 value from each of these would be the value to use, >but this should probably be explicitly stated somewhere in the model >(maybe in the SATransform class or the IPsecProposal class?). AFAIK, there will be 3 SA pairs: 1 SA pair for ESP, 1 SA pair for AH and 1 SA pair for IPcomp. Each of those SA will get its own MaxLifetimeSeconds property inherited from SATransform. >In the SAStaticAction Class a similar problem exists. Including the >value from SAStaticAction, the value from the sub-class >PreconfiguredSAAction and the values from possibly 3 different >SATransform objects, 4 different values of maxLifetimeSeconds and >maxLifetimeKilobytes can exist for an SA. Should the >PreconfiguredSAAction's object lifetime values override the >SATransforms lifetime values or should the minimum of the 4 possible >values be used? or possibly a different method? I see advantages to >either method above, but one should probably be stated in the model. See above Thanks for your comments -eric >-- >Michael Baer >baerm@mikesoffice.com >NAI Labs From owner-ipsec-policy@mail.vpnc.org Thu Jul 19 17:35:30 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA18957 for ; Thu, 19 Jul 2001 17:35:28 -0400 (EDT) Received: by above.proper.com (8.11.3/8.11.3) id f6JIoCO01428 for ipsec-policy-bks; Thu, 19 Jul 2001 11:50:12 -0700 (PDT) Received: from rebma.mikesoffice.com (adsl-63-195-146-66.dsl.scrm01.pacbell.net [63.195.146.66]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6JIoCq01424 for ; Thu, 19 Jul 2001 11:50:12 -0700 (PDT) Received: (from baerm@localhost) by rebma.mikesoffice.com (8.9.3/8.9.3) id LAA18293; Thu, 19 Jul 2001 11:49:39 -0700 X-Authentication-Warning: rebma.mikesoffice.com: baerm set sender to baerm@mikesoffice.com using -f To: Eric Vyncke Cc: ipsec-policy@vpnc.org Subject: Re: ipsp-config-policy-model Questions References: <4.3.2.7.2.20010719131734.0202ff00@brussels.cisco.com> From: Michael Baer Organization: NAI Labs Date: 19 Jul 2001 11:49:39 -0700 In-Reply-To: <4.3.2.7.2.20010719131734.0202ff00@brussels.cisco.com> (Eric Vyncke's message of "Thu, 19 Jul 2001 14:05:58 -0700") Message-ID: <867kx4hhz0.fsf@mikesoffice.com> Lines: 46 User-Agent: Gnus/5.090003 (Oort Gnus v0.03) XEmacs/21.4 (Copyleft) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> "Eric" == Eric Vyncke writes: Eric> At 13:08 18/07/2001 -0700, Michael Baer wrote: >> >> In a given set of SATransforms within a negotiated SA Action, >> there could be as many as 3 different values for >> maxLifetimeSeconds and maxLifetimeKilobytes (one set from each >> of a AHTransform, ESPTransform, and IPcomp Transform) for an >> SA. I would assume that the minimum of the 3 value from each of >> these would be the value to use, but this should probably be >> explicitly stated somewhere in the model (maybe in the >> SATransform class or the IPsecProposal class?). Eric> AFAIK, there will be 3 SA pairs: 1 SA pair for ESP, 1 SA Eric> pair for AH and 1 SA pair for IPcomp. Each of those SA will Eric> get its own MaxLifetimeSeconds property inherited from Eric> SATransform. I just made the Homer Simpson 'Doh' sound. >> In the SAStaticAction Class a similar problem exists. Including >> the value from SAStaticAction, the value from the sub-class >> PreconfiguredSAAction and the values from possibly 3 different >> SATransform objects, 4 different values of maxLifetimeSeconds >> and maxLifetimeKilobytes can exist for an SA. Should the >> PreconfiguredSAAction's object lifetime values override the >> SATransforms lifetime values or should the minimum of the 4 >> possible values be used? or possibly a different method? I see >> advantages to either method above, but one should probably be >> stated in the model. Eric> See above Thanks for your response. I see how I wasn't thinking straight about the 3 possible SA'S in a negotiated action above (sigh), but I still don't understand the maxLifetime values in a preconfiguredSAACtion. If the Action has maxLifetime values and each SA Transform has maxLifetime values, which value is used for a given SA? (the SATransform's, the preconfiguredSAACtion's, or the minimum of the two.) -- Michael Baer baerm@mikesoffice.com NAI Labs From owner-ipsec-policy@mail.vpnc.org Thu Jul 19 22:48:01 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA25228 for ; Thu, 19 Jul 2001 22:48:01 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6K1Ppe15222 for ipsec-policy-bks; Thu, 19 Jul 2001 18:25:51 -0700 (PDT) Received: from wanderer.hardakers.net (IDENT:root@dns2.hardaker.davis.ca.us [168.150.190.2]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6K1Pnq15218 for ; Thu, 19 Jul 2001 18:25:49 -0700 (PDT) Received: (from hardaker@localhost) by wanderer.hardakers.net (8.11.2/8.11.2) id f6K1AmC02195; Thu, 19 Jul 2001 18:10:48 -0700 X-Authentication-Warning: wanderer.hardakers.net: hardaker set sender to wes@hardakers.net using -f To: Cc: "IPSec Policy WG" Subject: Re: IPSEC-POLICY-MIB - ContainedProposals References: From: Wes Hardaker X-URL: http://dcas.ucdavis.edu/~hardaker Organization: Network Associates - NAI Labs X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/ IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4 Date: Thu, 19 Jul 2001 18:10:48 -0700 In-Reply-To: ("Casey Carr"'s message of "Wed, 9 May 2001 14:26:14 -0400") Message-ID: Lines: 20 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) XEmacs/21.2 (Terspichore) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >>>>> On Wed, 9 May 2001 14:26:14 -0400, "Casey Carr" said: Casey> It does not appear that the MIB fully supports Casey> "ContainedProposal" aggregation defined in the IPSec policy Casey> model. This aggregation is defines as a "many-to-many" Casey> relationship. The attribute ikeProposalName in the Casey> ikeActionTable and the ipsecProposalName in the Casey> ipsecActionTable are defined as a string and the description Casey> indicates that it refers to a single entry in the corresponding Casey> proposal table. Casey> Did I miss something? Nope you didn't miss anything. It's been fixed in the MIB to be published by tomorrow afternoon. Thanks for pointing it out. -- Wes Hardaker NAI Labs Network Associates From owner-ipsec-policy@mail.vpnc.org Fri Jul 20 04:03:33 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id EAA13528 for ; Fri, 20 Jul 2001 04:03:33 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6K6cdP00307 for ipsec-policy-bks; Thu, 19 Jul 2001 23:38:39 -0700 (PDT) Received: from cisco.com (brussels.cisco.com [144.254.15.68]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6K6cbq00296 for ; Thu, 19 Jul 2001 23:38:37 -0700 (PDT) Received: from EVYNCKE-W2K.cisco.com (evyncke-isdn-home.cisco.com [10.49.1.170]) by cisco.com (8.8.8+Sun/8.8.8) with ESMTP id IAA24049; Fri, 20 Jul 2001 08:38:28 +0200 (MET DST) Message-Id: <4.3.2.7.2.20010720083602.01f719d0@brussels.cisco.com> X-Sender: evyncke@brussels.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 20 Jul 2001 08:38:09 -0700 To: Michael Baer From: Eric Vyncke Subject: Re: ipsp-config-policy-model Questions Cc: ipsec-policy@vpnc.org, In-Reply-To: <867kx4hhz0.fsf@mikesoffice.com> References: <4.3.2.7.2.20010719131734.0202ff00@brussels.cisco.com> <4.3.2.7.2.20010719131734.0202ff00@brussels.cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: >Thanks for your response. I see how I wasn't thinking straight about >the 3 possible SA'S in a negotiated action above (sigh), but I still >don't understand the maxLifetime values in a preconfiguredSAACtion. If >the Action has maxLifetime values and each SA Transform has >maxLifetime values, which value is used for a given SA? (the >SATransform's, the preconfiguredSAACtion's, or the minimum of the >two.) I'm afraid that you got us ;-) thanks for spotting it. I will have to add text in the I-D for this specific case and specifying that the smallest timers are used. -eric From owner-ipsec-policy@mail.vpnc.org Fri Jul 20 21:59:01 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id VAA27173 for ; Fri, 20 Jul 2001 21:59:00 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6KNmb023378 for ipsec-policy-bks; Fri, 20 Jul 2001 16:48:37 -0700 (PDT) Received: from ganymede.or.intel.com (jffdns01.or.intel.com [134.134.248.3]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6KNmaq23374 for ; Fri, 20 Jul 2001 16:48:36 -0700 (PDT) Received: from SMTP (orsmsxvs02-1.jf.intel.com [192.168.65.201]) by ganymede.or.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.41 2001/07/09 21:06:22 root Exp $) with SMTP id XAA19336 for ; Fri, 20 Jul 2001 23:48:24 GMT Received: from orsmsx28.jf.intel.com ([192.168.70.28]) by 192.168.70.201 (Norton AntiVirus for Internet Email Gateways 1.0) ; Fri, 20 Jul 2001 23:48:24 0000 (GMT) Received: by orsmsx28.jf.intel.com with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Jul 2001 16:48:23 -0700 Message-ID: <794826DE8867D411BAB8009027AE9EB90AD0E920@FMSMSX38> From: "Jason, Jamie" To: "'ipsec-policy@vpnc.org'" Subject: New Policy Model I-D Date: Fri, 20 Jul 2001 16:48:19 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: I have submitted the new policy model draft for posting. Until the notification is sent out, you _hopefully_ should be able to get it at ftp://ftp.intel.com/pub/outgoing/draft-ietf-ipsp-config-policy-model-03.txt Jamie ---------------------------------------------------------------- Jamie Jason email: jamie.jason@intel.com Intel Architecture Labs phone: 503-264-9531 2111 NE 25th Avenue fax: 503-264-9428 Hillsboro, OR 97124 "To give anything less than your best is to sacrifice the gift." - Steve Prefontaine All opinions expressed are: 1. Entirely my own. 2. Not necessarily shared by my employer. 3. Unencumbered by the thought process. ---------------------------------------------------------------- From owner-ipsec-policy@mail.vpnc.org Mon Jul 23 07:50:49 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA12477 for ; Mon, 23 Jul 2001 07:50:48 -0400 (EDT) Received: by above.proper.com (8.11.3/8.11.3) id f6NAe2S16298 for ipsec-policy-bks; Mon, 23 Jul 2001 03:40:02 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6NAe0q16294 for ; Mon, 23 Jul 2001 03:40:00 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA09169; Mon, 23 Jul 2001 06:39:02 -0400 (EDT) Message-Id: <200107231039.GAA09169@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec-policy@vpnc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsp-ipsecpib-03.txt Date: Mon, 23 Jul 2001 06:39:02 -0400 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Policy Working Group of the IETF. Title : IPSec Policy Information Base Author(s) : M. Li, D. Arneson, A. Doria, J. Jason, C. Wang Filename : draft-ietf-ipsp-ipsecpib-03.txt Pages : 68 Date : 20-Jul-01 This document specifies a set of policy rule classes (PRC) for configuring IPSec policy at IPsec-enabled devices. Instances of these classes reside in a virtual information store called the IPSec Policy Information Base (PIB). The COPS protocol [COPS] with extensions for provisioning [COPS-PR] is used to transmit this IPSec policy information to IPSec-enabled devices (e.g., security gateways). The PRCs defined in this IPSec PIB are intended for use by the COPS-PR IPSec client type. They complement the PRCs defined in the Framework PIB [FR-PIB]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsp-ipsecpib-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsp-ipsecpib-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsp-ipsecpib-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010720082753.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsp-ipsecpib-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsp-ipsecpib-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010720082753.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec-policy@mail.vpnc.org Thu Jul 26 14:14:30 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA29984 for ; Thu, 26 Jul 2001 14:14:28 -0400 (EDT) Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f6QBj1e12233 for ipsec-policy-bks; Thu, 26 Jul 2001 04:45:01 -0700 (PDT) Received: from megisto-sql1.megisto.com ([63.113.114.132]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6QBixs12222 for ; Thu, 26 Jul 2001 04:45:00 -0700 (PDT) Received: from megisto.com (SANCHEZ [192.168.20.50]) by megisto-sql1.megisto.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id PS3P8PWH; Thu, 26 Jul 2001 07:43:24 -0400 Message-ID: <3B6002A9.E1F27447@megisto.com> Date: Thu, 26 Jul 2001 07:44:41 -0400 From: "Luis A. Sanchez" Organization: Megisto Systems X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "ipsec-policy@vpnc.org" Subject: Agenda Items Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Folks, Hilarie and I are working on the agenda for the next IPSP meeting. Please send us your requests by nlt july 30. Thanks, -Luis July 31 - Working Group Agendas due date by 1700 ET From owner-ipsec-policy@mail.vpnc.org Fri Jul 27 08:16:13 2001 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA11122 for ; Fri, 27 Jul 2001 08:16:12 -0400 (EDT) Received: by above.proper.com (8.11.3/8.11.3) id f6RB8pG12718 for ipsec-policy-bks; Fri, 27 Jul 2001 04:08:51 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f6RB8os12714 for ; Fri, 27 Jul 2001 04:08:50 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA06681; Fri, 27 Jul 2001 07:07:51 -0400 (EDT) Message-Id: <200107271107.HAA06681@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec-policy@vpnc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsp-config-policy-model-03.txt Date: Fri, 27 Jul 2001 07:07:51 -0400 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Policy Working Group of the IETF. Title : IPsec Configuration Policy Model Author(s) : J. Jason, L. Rafalow, E. Vyncke Filename : draft-ietf-ipsp-config-policy-model-03.txt Pages : 148 Date : 26-Jul-01 This document presents an object-oriented model of IPsec policy designed to: o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in [IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in [COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM]. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsp-config-policy-model-03.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsp-config-policy-model-03.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsp-config-policy-model-03.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010726170624.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsp-config-policy-model-03.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsp-config-policy-model-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010726170624.I-D@ietf.org> --OtherAccess-- --NextPart--