From owner-ipsec-policy@mail.vpnc.org Mon Jul 12 13:19:09 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25426 for ; Mon, 12 Jul 2004 13:19:07 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CGRRpL037818; Mon, 12 Jul 2004 09:27:27 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i6CGRRUi037817; Mon, 12 Jul 2004 09:27:27 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from smail3.alcatel.fr (smail3.alcatel.fr [64.208.49.56]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i6CGRPic037806 for ; Mon, 12 Jul 2004 09:27:26 -0700 (PDT) (envelope-from yacine.el_mghazli@alcatel.fr) Received: from frmail30.netfr.alcatel.fr (frmail30.netfr.alcatel.fr [155.132.182.163]) by smail3.alcatel.fr (ALCANET/NETFR) with ESMTP id i6CGNZYa012293; Mon, 12 Jul 2004 18:23:36 +0200 Received: from alcatel.fr ([172.25.72.141]) by frmail30.netfr.alcatel.fr (Lotus Domino Release 5.0.9a) with ESMTP id 2004071218233408:4427 ; Mon, 12 Jul 2004 18:23:34 +0200 Message-ID: <40F2BB06.7050807@alcatel.fr> Date: Mon, 12 Jul 2004 18:23:34 +0200 From: Yacine.El_Mghazli@alcatel.fr Organization: Alcatel R&I User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-gb, fr-fr, en, fr MIME-Version: 1.0 To: Michael Baer Cc: ipsec-policy@vpnc.org, hardaker@tislabs.com, rs-snmp@revelstone.com, cliffwang2000@yahoo.com, Julien Bournelle , Yoshihiro Ohba Subject: IKE ACTION MIB usage (practical stuff) References: <40B1B345.6000208@alcatel.fr> In-Reply-To: X-MIMETrack: Itemize by SMTP Server on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 07/12/2004 18:23:34, Serialize by Router on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 07/12/2004 18:23:40, Serialize complete at 07/12/2004 18:23:40 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; format=flowed X-Alcanet-MTA-scanned-and-authorized: yes Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit hello, this email deals with practical usage of the IPSec configuration MIBs this working group designed. It is for re-use in the PANA framework (see http://www.ietf.org/internet-drafts/draft-ietf-pana-snmp-00.txt). below is a picture of the PANA functional model: RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC |<----------------->| PAA |<---------------->| AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP 4-way handshake +-----+ Figure 1: PANA Functional Model in brief: once the PaC authorized by the PAA and the AS (via EAP), the PAA is in charge of configuring the access point (EP) with authz information. in the IPsec-based access control case, we might want to configure IKE at the EP: the PAA provides to the EP the following information: - PaC IP address (PaC-TIA) - "PANA-Session-Id|PANA-Key-Id" as the id_key_id for aggressive mode - "PSK-from-PAA" as the Pre-shared Key for phase 1 exchanges you'll find below a temptative example of configuration using your MIBs. if possible, can you please check and correct any mistakes. thanks, yacine ------------------------------------------------------ so far we define two policy groups ("EP-SPD-IN" and "EP-SPD-OUT"): spdEndpointToGroupTable.1 = spdEndGroupDirection = incoming; spdEndGroupIdentType = IPv4; spdEndGroupAddress = EP-ADDR; spdEndGroupName = "EP-SPD-IN"; spdEndpointToGroupTable.2 = spdEndGroupDirection = outgoing; spdEndGroupIdentType = IPv4; spdEndGroupAddress = EP-ADDR; spdEndGroupName = "EP-SPD-OUT"; We define two filters in the "IP Header filter" table: one match IP packets coming from the PaC, the other match IP packets going to the PaC. spdIpHeaderFilterTable.1 = spdIpHeadFiltName = "PaC1-TIA Filter SOURCE"; spdIpHeadFiltType = { sourceAddress ON }; spdIpHeadFiltIPVersion = v4; spdIpHeadFiltSrcAddressBegin = PaC1-TIA; spdIpHeadFiltSrcAddressEnd = PaC1-TIA; spdIpHeaderFilterTable.2 = spdIpHeadFiltName = "PaC1-TIA Filter DEST"; spdIpHeadFiltType = { destAddress ON }; spdIpHeadFiltIPVersion = v4; spdIpHeadFiltSrcAddressBegin = PaC1-TIA; spdIpHeadFiltSrcAddressEnd = PaC1-TIA; -- IKE Phase 1 configuration (agressive mode): We define a sub-group in policy group "EP-SPD-IN" of the SPD MIB, using the "Group contents" table. This sub-group is dedicated to the IKE traffic coming to the EP: spdGroupContentsTable.1 = spdGroupContName = "EP-SPD-IN"; spdGroupContPriority = 1; spdGroupContFilter = ipiaStaticFilters.1; spdGroupContComponentType = sub-group; spdGroupContComponentName = "EP-IKE-Phase1-IN"; And within this IKE-specific policy sub-group we now specify the rule to apply for the IKE traffic coming from PaC1. spdGroupContentsTable.2 = spdGroupContName = "IKE-Phase1-IN"; spdGroupContPriority = 1; spdGroupContFilter = spdIpHeaderFilterTable.1; spdGroupContComponentType = rule; spdGroupContComponentName = "PaC1-IKE-RULE"; An entry in the "IP Header filter" table helps defining the filter to match packets coming from PaC1. spdIpHeaderFilterTable.1 = spdIpHeadFiltName = "PaC1-TIA Filter SOURCE"; spdIpHeadFiltType = { sourceAddress ON }; spdIpHeadFiltIPVersion = v4; spdIpHeadFiltSrcAddressBegin = PaC1-TIA; spdIpHeadFiltSrcAddressEnd = PaC1-TIA; The "Rule Defininition" table links a rule with a given action in the IKE action MIB. This action will be triggereed upon recepetion at the EP of an IKE packet coming from PaC1. spdRuleDefinitionTable.1 = spdRuleDefName = "PaC1-IKE-RULE"; spdRuleDefDescription = "IPSec Access Control for PaC1"; spdRuleDefFilter = spdIpHeaderFilterTable.1; spdRuleDefFilterNegated = false (default); spdRuleDefAction = spdIkeActionTable.1; The "IKE action" entry below specifies the main parameters for the IKE exchanges. ipiaIkeActionTable.1 = ipiaIkeActName = "PaC1-IKE"; ipiaIkeActParametersName = "SA-PaC1"; ipiaIkeActThresholdDerivedKeys = 100 (default); ipiaIkeActExchangeMode = aggressive; ipiaIkeActAgressiveModeGroupId = xxx [Diffie-Hellman values]; ipiaIkeActIdentityType = idKeyId; ipiaIkeActIdentityContext = "PANA"; ipiaIkeActPeerName = "PaC1"; ipiaSaNegotiationParametersTable.1 = ipiaSaNegParamName = "SA-PaC1"; ipiaSaNegParamMinLifetimeSecs = xxx; ipiaSaNegParamMinLifetimeKB = xxx; ipiaSaNegParamRefreshThreshSecs = xxx; ipiaSaNegParamRefreshThresholdKB = xxx; ipiaSaNegParamIdleDurationSecs = xxx; The "Peer Identity" table specifically informs the EP on the value of the idKeyId to use in IKE messages with PaC1: ipiaPeerIdentityFilterTable.1 = ipiaPeerIdFiltName = "PaC1"; ipiaPeerIdFiltIdentityType = idKeyId; ipiaPeerIdFiltIdentityValue = "PANA-Session-Id|PANA-Key-Id"; The following entry links a given identity (PaC1) with an entry in the "Credentials" table. ipiaIkeIdentityTable.1 = spdEndGroupIdentType = IPv4; spdEndGroupAddress = EP-ADDR; ipiaIkeActIdentityType = idKeyId [?????]; ipiaIkeActIdentityContext = PANA; ipiaIkeIdCredentialName = "PaC1-PSK"; Finally the pre-shared key derivated at the PAA is set here: ipiaCredentialFilterTable.1 = ipiaCredFiltName = "PaC1-PSK"; ipiaCredFiltCredentialType = sharedSecret; ipiaCredFiltMatchFieldName = (sharedSecret); ipiaCredFiltMatchFieldValue = "PSK-from-PAA";