From owner-ipsec-policy@mail.vpnc.org  Mon May  6 05:52:20 2002
Received: from above.proper.com (mail.imc.org [208.184.76.43])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA11032
	for <ipsp-archive@odin.ietf.org>; Mon, 6 May 2002 05:52:20 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]])
	by above.proper.com (8.11.6/8.11.3) id g469EUh09267
	for ipsec-policy-bks; Mon, 6 May 2002 02:14:30 -0700 (PDT)
Received: from smtp5.cluster.oleane.net (smtp5.cluster.oleane.net [195.25.12.27])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g469EQL09257
	for <ipsec-policy@vpnc.org>; Mon, 6 May 2002 02:14:27 -0700 (PDT)
Received: from oleane (upper-side.rain.fr [194.250.212.114]) by smtp5.cluster.oleane.net with SMTP id g469ELD95435 for <ipsec-policy@vpnc.org>; Mon, 6 May 2002 11:14:22 +0200 (CEST)
Message-ID: <013701c1f4df$0f45c6c0$0701a8c0@oleane.com>
From: "Peter Lewis" <peter.lewis@upperside.fr>
To: <ipsec-policy@vpnc.org>
Subject: IPSec Global Summit 
Date: Mon, 6 May 2002 11:19:00 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0134_01C1F4EF.D2052C40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>


This is a multi-part message in MIME format.

------=_NextPart_000_0134_01C1F4EF.D2052C40
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The fourth annual IPSec Global Summit will take place in Paris October =
22 though 25, 2002.
IPSec Global Summit 2002 will bring together the top players involved in =
the design, the testing and the deployment of the IP security protocol.=20
In particular, panel discussions and presentations will focus on the =
proposed candidates to replace IKE as well as the RFC 2401 evolution. =
Key words like " counter mode " or " HIP " will be discussed in detail.=20

A call for proposals is online at:
http://www.upperside.fr/ipsec02/ipsec02intro.htm


------=_NextPart_000_0134_01C1F4EF.D2052C40
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial>
<DIV><FONT size=3D2><SPAN class=3Dtexte>The fourth annual <SPAN=20
class=3Dnomspeaker>IPSec Global Summit</SPAN> will take place in Paris =
<SPAN=20
class=3Dtextebold>October 22 though 25, 2002.</SPAN></SPAN><BR><SPAN=20
class=3Dtexte>IPSec Global Summit 2002 will bring together the top =
players=20
involved in the design, the testing and the deployment of the IP =
security=20
protocol. <BR>In particular, panel discussions and presentations will =
focus on=20
the proposed candidates to replace IKE as well as the RFC 2401 =
evolution. Key=20
words like " counter mode " or " HIP " will be discussed in =
detail.</SPAN>=20
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>A call for proposals is online at:</FONT></DIV>
<DIV><FONT size=3D2><A=20
href=3D"http://www.upperside.fr/ipsec02/ipsec02intro.htm">http://www.uppe=
rside.fr/ipsec02/ipsec02intro.htm</A></FONT></DIV>
<DIV>&nbsp;</DIV></FONT></DIV></BODY></HTML>

------=_NextPart_000_0134_01C1F4EF.D2052C40--



From owner-ipsec-policy@mail.vpnc.org  Thu May  9 18:48:21 2002
Received: from above.proper.com (mail.imc.org [208.184.76.43])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA12539
	for <ipsp-archive@odin.ietf.org>; Thu, 9 May 2002 18:48:20 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]])
	by above.proper.com (8.11.6/8.11.3) id g49M5p900973
	for ipsec-policy-bks; Thu, 9 May 2002 15:05:51 -0700 (PDT)
Received: from wanderer.hardakers.net (adsl-66-127-127-227.dsl.scrm01.pacbell.net [66.127.127.227])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g49M5nL00969
	for <ipsec-policy@vpnc.org>; Thu, 9 May 2002 15:05:49 -0700 (PDT)
Received: (from hardaker@localhost)
	by wanderer.hardakers.net (8.11.6/8.11.6) id g49M5c313726;
	Thu, 9 May 2002 15:05:38 -0700
To: ipsec-policy@vpnc.org
Subject: model, granularity and ranges
From: Wes Hardaker <wes@hardakers.net>
Organization: Network Associates - NAI Labs
X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA
 SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/
 IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4
Date: Thu, 09 May 2002 15:05:38 -0700
Message-ID: <sdpu05rn7x.fsf@wanderer.hardakers.net>
Lines: 30
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) XEmacs/21.5 (bamboo,
 i686-pc-linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>



Currently, the model has decided to use the IPHeadersFilter from PCIMe
(which is a good thing I think), but the IPHeadersFilter object allows
for filtering one:

1) an adddress
2) a subnet
3) a range of address (eg: 10.0.0.5 - 11.1.2.3)

#3 supports the ability to filter on a range of addresses that does
not necessarily lie directly across a normal subnet definition.

The question is what to do when the filter is a range of addresses but
the Granularity property of the IPsecAction object is set to
"subnet".  What is the selector supposed to look like for an SA in
this case?  I'd suggest that it should be a singe address.  I think
the full list of choices are:

1) a single address (my recommendation).
2) a subnet that most widely selects the matched address but still
   falls entirely within the range (ick, but doable).
3) multiple #2s such that multiple SAs are developed to completely
   cover the range in question (even more ick, but still doable).

Thoughts?

-- 
Wes Hardaker
NAI Labs
Network Associates


From owner-ipsec-policy@mail.vpnc.org  Tue May 14 10:20:39 2002
Received: from above.proper.com (mail.imc.org [208.184.76.43])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20717
	for <ipsp-archive@odin.ietf.org>; Tue, 14 May 2002 10:20:39 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g4EDcZC03960
	for ipsec-policy-bks; Tue, 14 May 2002 06:38:35 -0700 (PDT)
Received: from cisco.com (brussels.cisco.com [144.254.15.68])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g4EDcXL03956
	for <ipsec-policy@vpnc.org>; Tue, 14 May 2002 06:38:33 -0700 (PDT)
Received: from EVYNCKE-W2K.cisco.com (ams-clip-vpn-dhcp54.cisco.com [10.50.0.53])
	by cisco.com (8.8.8+Sun/8.8.8) with ESMTP id PAA16469;
	Tue, 14 May 2002 15:38:25 +0200 (MET DST)
Message-Id: <4.3.2.7.2.20020514153627.025a10f8@brussels.cisco.com>
X-Sender: evyncke@brussels.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 14 May 2002 15:38:22 +0200
To: Wes Hardaker <wes@hardakers.net>
From: Eric Vyncke <evyncke@cisco.com>
Subject: Re: model, granularity and ranges
Cc: ipsec-policy@vpnc.org
In-Reply-To: <sdpu05rn7x.fsf@wanderer.hardakers.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>


Wes

This is a good point and I would follow your recommendation but rephrased 
it like 'when the IPHeadersFilter specifies an IP address range then the 
Granularity property cannot be set to 1 (= subnet).

What do you think ?

I would amend the -06 with this

-eric


At 15:05 9/05/2002 -0700, Wes Hardaker wrote:


>Currently, the model has decided to use the IPHeadersFilter from PCIMe
>(which is a good thing I think), but the IPHeadersFilter object allows
>for filtering one:
>
>1) an adddress
>2) a subnet
>3) a range of address (eg: 10.0.0.5 - 11.1.2.3)
>
>#3 supports the ability to filter on a range of addresses that does
>not necessarily lie directly across a normal subnet definition.
>
>The question is what to do when the filter is a range of addresses but
>the Granularity property of the IPsecAction object is set to
>"subnet".  What is the selector supposed to look like for an SA in
>this case?  I'd suggest that it should be a singe address.  I think
>the full list of choices are:
>
>1) a single address (my recommendation).
>2) a subnet that most widely selects the matched address but still
>    falls entirely within the range (ick, but doable).
>3) multiple #2s such that multiple SAs are developed to completely
>    cover the range in question (even more ick, but still doable).
>
>Thoughts?
>
>--
>Wes Hardaker
>NAI Labs
>Network Associates



From owner-ipsec-policy@mail.vpnc.org  Tue May 14 11:15:26 2002
Received: from above.proper.com (mail.imc.org [208.184.76.43])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22954
	for <ipsp-archive@odin.ietf.org>; Tue, 14 May 2002 11:15:24 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]])
	by above.proper.com (8.11.6/8.11.3) id g4EEgvU07148
	for ipsec-policy-bks; Tue, 14 May 2002 07:42:57 -0700 (PDT)
Received: from wanderer.hardakers.net (adsl-66-127-127-226.dsl.scrm01.pacbell.net [66.127.127.226])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g4EEgtL07140
	for <ipsec-policy@vpnc.org>; Tue, 14 May 2002 07:42:55 -0700 (PDT)
Received: (from hardaker@localhost)
	by wanderer.hardakers.net (8.11.6/8.11.6) id g4EEgbC06175;
	Tue, 14 May 2002 07:42:37 -0700
To: Eric Vyncke <evyncke@cisco.com>
Cc: ipsec-policy@vpnc.org
Subject: Re: model, granularity and ranges
References: <4.3.2.7.2.20020514153627.025a10f8@brussels.cisco.com>
From: Wes Hardaker <wes@hardakers.net>
Organization: Network Associates - NAI Labs
X-Face: #qW^}a%m*T^{A:Cp}$R\"38+d}41-Z}uU8,r%F#c#s:~Nzp0G9](s?,K49KJ]s"*7gvRgA
 SrAvQc4@/}L7Qc=w{)]ACO\R{LF@S{pXfojjjGg6c;q6{~C}CxC^^&~(F]`1W)%9j/iS/
 IM",B1M.?{w8ckLTYD'`|kTr\i\cgY)P4
Date: Tue, 14 May 2002 07:42:36 -0700
In-Reply-To: <4.3.2.7.2.20020514153627.025a10f8@brussels.cisco.com> (Eric
 Vyncke's message of "Tue, 14 May 2002 15:38:22 +0200")
Message-ID: <sdbsbidc4j.fsf@wanderer.hardakers.net>
Lines: 29
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) XEmacs/21.5 (bamboo,
 i686-pc-linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>


>>>>> On Tue, 14 May 2002 15:38:22 +0200, Eric Vyncke <evyncke@cisco.com> said:

Eric> This is a good point and I would follow your recommendation but
Eric> rephrased it like 'when the IPHeadersFilter specifies an IP
Eric> address range then the Granularity property cannot be set to 1
Eric> (= subnet).

That's fine too.  It moves the error checking to configuration time,
rather than run time so that makes perfect sense.

The problem is that dynamic changes to policy will cause a problem.
Consider the case when rules are being modified dynamically and a
filter is changed from a singe address to a range.  The actions then
need to be consulted for all rules which contain the particular filter
to ensure they're still appropriate.  IE, is the reverse case also
true?  Can you change a filter to a range if it is currently
associated with an action which has a granularity of subnet?

(While writing this, I'm realizing there are other problems with
granularity being tied to the actions...  What happens when multiple
IPHeaderFilters are evaluated under a rule and have different narrower
and wider filtering properties?  Like two filters with different
subnet checks that both match the address.  What does a "subnet"
granularity mean then?  Take the wider of the 2?)

-- 
Wes Hardaker
NAI Labs
Network Associates


From owner-ipsec-policy@mail.vpnc.org  Wed May 29 17:27:42 2002
Received: from above.proper.com (mail.proper.com [208.184.76.45])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA03987
	for <ipsp-archive@odin.ietf.org>; Wed, 29 May 2002 17:27:41 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g4TKTAk24705
	for ipsec-policy-bks; Wed, 29 May 2002 13:29:10 -0700 (PDT)
Received: from grapple.btitelecom.net (grapple.btitelecom.net [216.187.255.38])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g4TKT8J24696
	for <ipsec-policy@vpnc.org>; Wed, 29 May 2002 13:29:08 -0700 (PDT)
Received: from casey (216-187-252-13.ded.btitelecom.net [216.187.252.13])
	by grapple.btitelecom.net (8.11.2/8.11.2) with SMTP id g4TKT5C03600
	for <ipsec-policy@vpnc.org>; Wed, 29 May 2002 16:29:05 -0400
From: "Casey Carr" <kcarr@nc.rr.com>
To: <ipsec-policy@vpnc.org>
Subject: Uniqueness
Date: Wed, 29 May 2002 16:25:49 -0400
Message-ID: <LGEPIDKIMCMEJMAHEKALCEKMCJAA.kcarr@nc.rr.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit


Does the IPSec Policy Model or PCIM define how to uniquely identify an
instance of a class?

For example, the following is a cut an paste from the -05:

4.7.2. The Reference GroupComponent

   The property GroupComponent is inherited from PolicyRuleInPolicyGroup
   and is overridden to refer to an IPsecPolicyGroup instance.  The
   [1..1] cardinality indicates that a SARule instance may be contained
   in one and only one IPsecPolicyGroup instance (i.e., SARules are not
   shared across IPsecPolicyGroups).


What determines a unique instance of an SARule?  Should the model have
something similar to the INDEX definition is used in MIBs?

I am currently using the rule name to uniquely identify a rule and realized
that this was may not have been what was intended in the model.  I did a
quick review of PCIM and found no clues there either.

Thanks,
Casey



From owner-ipsec-policy@mail.vpnc.org  Wed May 29 17:42:09 2002
Received: from above.proper.com (mail.proper.com [208.184.76.45])
	by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04393
	for <ipsp-archive@odin.ietf.org>; Wed, 29 May 2002 17:42:09 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]])
	by above.proper.com (8.11.6/8.11.3) id g4TLE7S17870
	for ipsec-policy-bks; Wed, 29 May 2002 14:14:07 -0700 (PDT)
Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11])
	by above.proper.com (8.11.6/8.11.3) with ESMTP id g4TLE6J17861
	for <ipsec-policy@vpnc.org>; Wed, 29 May 2002 14:14:06 -0700 (PDT)
Received: from mira-sjcm-2.cisco.com (IDENT:mirapoint@mira-sjcm-2.cisco.com [171.69.24.14])
	by sj-msg-core-2.cisco.com (8.12.2/8.12.2) with ESMTP id g4TLDnPI004605;
	Wed, 29 May 2002 14:13:49 -0700 (PDT)
Received: from ANDREAWW2K (andreaw-frame1.cisco.com [10.19.253.186])
	by mira-sjcm-2.cisco.com (Mirapoint)
	with SMTP id ACZ76891;
	Wed, 29 May 2002 14:13:47 -0700 (PDT)
From: "Andrea Westerinen" <andreaw@cisco.com>
To: "Casey Carr" <kcarr@nc.rr.com>, <ipsec-policy@vpnc.org>
Subject: RE: Uniqueness
Date: Wed, 29 May 2002 14:13:47 -0700
Message-ID: <GGEOLLMKEOKMFKADFNHOAEOGEOAA.andreaw@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
In-Reply-To: <LGEPIDKIMCMEJMAHEKALCEKMCJAA.kcarr@nc.rr.com>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Importance: Normal
Sender: owner-ipsec-policy@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ipsec-policy/mail-archive/>
List-ID: <ipsec-policy.vpnc.org>
List-Unsubscribe: <mailto:ipsec-policy-request@vpnc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit


Casey, Different implementations have different concepts of names.  MIB rows
may have indexes, CIM classes have keys such as Name or InstanceID, etc.
The general model tries not to specify the key/identification structure
since it varies.  The specific data models will certainly define
identification mechanisms.

Andrea

-----Original Message-----
From: owner-ipsec-policy@mail.vpnc.org
[mailto:owner-ipsec-policy@mail.vpnc.org]On Behalf Of Casey Carr
Sent: Wednesday, May 29, 2002 1:26 PM
To: ipsec-policy@vpnc.org
Subject: Uniqueness



Does the IPSec Policy Model or PCIM define how to uniquely identify an
instance of a class?

For example, the following is a cut an paste from the -05:

4.7.2. The Reference GroupComponent

   The property GroupComponent is inherited from PolicyRuleInPolicyGroup
   and is overridden to refer to an IPsecPolicyGroup instance.  The
   [1..1] cardinality indicates that a SARule instance may be contained
   in one and only one IPsecPolicyGroup instance (i.e., SARules are not
   shared across IPsecPolicyGroups).


What determines a unique instance of an SARule?  Should the model have
something similar to the INDEX definition is used in MIBs?

I am currently using the rule name to uniquely identify a rule and realized
that this was may not have been what was intended in the model.  I did a
quick review of PCIM and found no clues there either.

Thanks,
Casey