Minutes of the IPsec Policy BOF (ipsp)
--------------------------------------
BOF Chairs:  Luis Sanchez <[email protected]>
            Roy Pereira  <[email protected]>

Reported by: John Zao, Matt Condell
Edited by:   Luis Sanchez and Roy Pereira

Summary (reported by: Luis Sanchez)
-----------------------------------

The IPsec Policy BOF met Wednesday, March 17 for two hours. Over 150
individuals attended the meeting. The meeting began with a
presentation of a taxonomy of IPsec Policy related problems that the
BOF chairs believe a group working in this area should address.

There were several other presentations covering different solutions to
the problem of general schemas, policy languages, directory systems,
general policy systems and specific new key exchanges for IKE. After
the presentations several members of the audience expressed their
support for this work and their discontent with the existing vendor
dependent solutions.

There was consensus that a WG should be formed to: 1) address the need
for a general IPsec policy model that fits within the general policy
schema currently under development by the Policy WG, 2) adopt a vendor
independent policy specification language and, 3) develop an
inter-domain dynamic policy discovery, negotiation and conflict
resolution protocol independent of any Key Exchange or protocol
suite.

A mailing list was announced and the BOF chairs agreed under
guidance of the Area directors to refine the proposed charter to
accommodate the suggestions made during the BOF. The next paragraphs
cover each of the presentations in some level of detail.

IP Security Issues (Roy Pereira-Timestep and Luis Sanchez-BBN Tech)
----------------------------------------------------------------------

Roy delivered this initial presentation. He identified the following
three main issues relevant to IPsec policies.

       o Entities with un-synchronized policies may not communicate
       o Needs to discover security gateways along secure
         communication paths
               + needs to deal with complex topology
               + needs to manage intra-/inter-domain policies
       o Existence of different and proprietary IPSec policy models

Roy also listed the four initial Internet Drafts submitted to the BOF,
outlined the issues that motivate the formation of a working group,
and announced the mailing list.

Documents
       draft-ietf-ipsec-policy-model-00.txt
       draft-ietf-ipsec-vpn-policy-schema-00.txt
       draft-ietf-ipsec-spsl-00.txt
       draft-ietf-ipsec-sps-00.txt

Mailing List
       [email protected]
       To subscribe, send mail to [email protected]
       with subscribe ipsec-policy in email message body

Policy Framework for IPSec (Pyda Srisuresh-Lucent and Luis Sanchez-BBN Tech)
----------------------------------------------------------------------------

Pyda motivated the development of an IPsec policy framework by
highlighting the characteristics of IPsec policy management task, the
potential problems and the requirements of policy framework.

Pyda described the following problems as key problems that a group
working in this area should addressed:

       o different matching orders of policies may exist
       o policy request & response packets may go through different routes
       o applications with dynamic sessions can only be protected by
         coarse-grain policies

He also described some of the requirements for solutions in this
problem space:

       o flexible, router-independent representation
       o end-node policy query & discovery of policies
       o mechanism for policy exchange
       o policy negotiation as an integral part of SA negotiation
       o resolution of policy conflicts
       o dynamically update policies
       o policy description mechanism that permits SA bundling
       o error notification to end-nodes

<<Comments>>

There are risks of disclosing policies to communicating peers.

<<Response>>

We must allow the peers to know the policies relevant to the
communication.  The concern is how not to disclose other irrelevant
policies.

LDAP VPN Policy Schema (Charlie Kunzinger, IBM)
----------------------------------------------------------------------------

The speaker reported the architecture model, the high-level schema and
the issues addressed by Internet-Draft, LDAP VPN Policy Schema. Some
of the issues included:

       o Format of condition list
         - the use of BNF/CNF
       o Semantics of security policy
         - Should the policies be meta-rules deriving lower level rules?
         - Or, should it be like filtering rules specifying PEP actions?
       o Policy implementation in heterogeneous network
         - How to implement a policy on devices supporting different
           algorithms
         - Suggestions: use abstract algorithm grouping

SPS and SPSL (Matt Condell, BBN Technologies)
----------------------------------------------------------------------------

Matt highlighted the functions of Security Policy Specification
Language [SPSL], and explained the operation of Security Policy Protocol
[SPP] that enables discovery and authenticated message exchanges among
policy servers.

<<Comments>>

The policy server discovery mechanism (by sending query messages from
upstream servers to destination host) may not work in some routing conditions.
Other mechanisms may be used to perform the same function.

<<Response>>
The discussion will be continued off-line.

Multi-Domain IKE (Charles Lynn-BBN Tech for Kai Martius-Secunet)
----------------------------------------------------------------------------

Kai proposes extensions to IKE that will enable a chain of IPsec
agents to establish security associations (SAs) for protecting an
end-to-end communication with minimal message flow and shared
knowledge of SPIs.

Kai's scheme proposes to reduce number of IKE message exchanges
between security gateways and to enable trusted gateways to derive
filtering rules of IPsec-ESP/AH tunnel traffic based on the knowledge
of SPIs.  An internet-draft describing the mechanism will be available
soon. Send any questions or comments to [email protected]

On-going Work in Policy Framework Working Group (Ed Ellesson, IBM)
----------------------------------------------------------------------------

Mailing lists of Policy Framework WG:
  General Discussion: [email protected]
  To Subscribe: [email protected]
  In Body: subscribe
  Archive: http://www.raleigh.ibm.com/maillists/policy

Ed introduced the Policy Framework WG. He explained its charter and
summarized the short history of their work. The charter mandated the WG to
develop means to represent, merge and share policies of network services
and configuration. The work was based on results provided by CIM and DEN
initiatives. Currently, the policy schema is rest on a declarative language.

<<Questions>>

Why limiting the policy language to be declarative instead of
programmatic?  Will the declarative nature of the language limit its
capability in specifying stateful packet filtering and intrusion
detection/response strategy?

<<Answers>>

A declarative language is chosen so that the WG may focus on a small
set of issues and gain some experience in developing the schema.  More
understanding of stateful packet filtering and intrusion
detection/response is needed before commenting on the capability of
the language in handling their specification.

Another comment: the language (with if-then construct) may not be strictly
declarative.

Requirements of an IPsec Policy System for Dynamic Security
Association (S.Felix, NCSU)
-----------------------------------------------------------

Felix discussed the Deciduous project. The Deciduous project at NCSU
investigates how to utilize the IPsec framework to support intrusion
detection and particularly attack source identification without
introducing any new protocols.

One key component in this project is to dynamically and efficiently
establish IPsec SAs in reacting to the analysis results from an
intrusion detection system. Felix discussed the requirements for a
IPsec Policy system to support the Deciduous architecture. For more
information see http://shang.csc.ncsu.edu/deciduous

IPSec Policy Specification (Jamie Jason and Skip Booth, Intel Corp.)
----------------------------------------------------------------------------

Skip discussed the basic requirements for IPsec policies. He covered
generic format and extensibility issues. He discussed the aspects of a
core-representation and a task-specific-representation. Jamie
discussed the need to define policy building blocks such as conditions
and actions. He pointed out that conditions are generic and actions
are task-specific.

IPSec Policy Schema (Bill Dixon, Microsoft)
----------------------------------------------------------------------------

Bill presented by the underlying concepts of Directory Enabled Networking
(DEN) and made the following suggestions on the coordination between
Policy Framework and IPSec Policy WGs:

  + Develop basic policy architecture and schema in Policy Framework WG;
  + Define VPN policy architecture in IPSec WG;
  + Define VPN policies in IPSec Policy WG.

<<Comments>>

Saying that IKE is already doing some form of multi-domain policy
negotiation is inaccurate. IKE conducts point-to-point SA negotiations
by exchanging protection suite proposals, but it must rely on other
systems to determine the kind of services to be supported by the SAs
and the range of protection suite to be proposed along the
communication path.

Policy Maker (Matt Blaze, ATT Research)
----------------------------------------------------------------------------

Matt made an announcement on the recent progress in Keynote, a security
policy and trust management system. Implementation of Keynote (v.2.0) is
ready. Please write to [email protected] for more information.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.