From owner-ipsec-policy@mail.vpnc.org Wed Nov 5 23:29:48 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA09638 for ; Wed, 5 Nov 2003 23:29:48 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hA63qgkT015842 for ; Wed, 5 Nov 2003 19:52:42 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hA63qgMp015841 for ipsec-policy-bks; Wed, 5 Nov 2003 19:52:42 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mail.xapiens.net ([204.181.75.66]) by above.proper.com (8.12.10/8.12.8) with SMTP id hA63qekT015832 for ; Wed, 5 Nov 2003 19:52:41 -0800 (PST) (envelope-from lsanchez@xapiens.com) Received: (qmail 20695 invoked from network); 6 Nov 2003 03:52:26 -0000 Received: from unknown (HELO xapiens.com) (204.181.75.148) by mail.xapiens.net with SMTP; 6 Nov 2003 03:52:26 -0000 Message-ID: <3FA9C57B.8000002@xapiens.com> Date: Wed, 05 Nov 2003 23:52:27 -0400 From: "Luis A. Sanchez" Organization: Xapiens Corporation User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "'ipsec-policy@vpnc.org'" Subject: Agenda Items Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit Folks, Hilarie and I are working on the IPSP agenda, please forward your requests to the mailing list. thanks! -luis Agenda Bashing WG and Document Status H. Orman MIB Document W. Hardaker PIB Document M. Li IPsec API work W. Sommerfeld pf_policy ? Summary From owner-ipsec-policy@mail.vpnc.org Mon Nov 10 18:06:41 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19954 for ; Mon, 10 Nov 2003 18:06:40 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAAMR3kT095476 for ; Mon, 10 Nov 2003 14:27:03 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hAAMR3Nk095475 for ipsec-policy-bks; Mon, 10 Nov 2003 14:27:03 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from wanderer.hardakers.net (IDENT:asUib27kO60xO1FrjpDSOj+DFSbXpu3+@dyn137-171.ietf58.ietf.org [130.129.137.171]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAAMR2kT095470 for ; Mon, 10 Nov 2003 14:27:03 -0800 (PST) (envelope-from hardaker@tislabs.com) Received: by wanderer.hardakers.net (Postfix, from userid 274) id 72AD4574A8; Mon, 10 Nov 2003 14:26:54 -0800 (PST) To: ipsec-policy@vpnc.org Subject: Splitting the IPSEC-POLICY-MIB into 3 parts. From: Wes Hardaker Organization: Sparta Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEXotKX87e8eDA4GAQbQgmlzNycHAwizYkruzul2AAACaUlEQVR4nFXUTW/jIBAGYFI56jWutuq1S9b2dddW6dWtQFxbq4jzwq73Glmg+fv7DiT9QJGS+GEGhiER67TWEQ5CtOeh21ZcIIbmOPq5QvMZYlyV6u+/gsJLTSrGIL/CxEPxQuPAcP0JYlQsq3x5B3UJmUaEyB6yZ+CQ+pwXCzKsbXtbIhg4KtZypPz+AVGtlxH69c87qAqRY6Rc5QUmZMGeAj+TfVjjUwE1lflKys5JGXpM+V0hltqCJ0qL7Plkft4wRM6lxi5p3Wyy7O7fB8TgtdZivxy5rvAB6wSYhbA9vn+GOCaOEGJRPO2mHgk+q1Chyf0Up3AG0NjhOXI19ogEFziq6M+ZtN3kUZ13NW4qUCprC3CW668C06M5jihON1Vsjq8F1CPJB8LINNeQfscwxUEvAwM5Xghvsq2pBr3hnKhbDIrMS3cBRDx70uS9JW2dy667gM0AbZFFmyvn3GOBGB8wG9kppaSNz357LaCmUdtSny5LU9qeCrglvJmyH20TwkjnXQE0usscIWayCWZJ7OpZ4QbUVGRnhuTub3cMYRk99oSplDIfibzfn0FyXyk7z8XThuvC0P/dGCwee7O8aZJBmh0vPixy0NrYhDaR02aR3W0BbyT6h23OB5Hzybj+DOm5w6XCOZG13p5Oh/bursJVh9S+bBiFnPCDuntpcTH080AO+7GlW1i3bRphBM04dZ2dI6yMLjmGFqnIok/cB1YU8sJAACTeuHOd5+lumQHfDM6KyLqEm4aWkkcc1m4PqBewZxBZOg44lT+aJiexDteewboiVhxAjSHxQwhiYJEdCR6tMN1/uckirDRNbsgAAAAASUVORK5CYII= Date: Mon, 10 Nov 2003 14:26:53 -0800 Message-ID: User-Agent: Gnus/5.1003 (Gnus v5.10.3) XEmacs/21.5 (brussels sprouts, linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: The MIB for this WG was completed a year ago, and got reviewed by one AD and the comments were Incorporated. But it has not been reviewed by one of the security area ADs, and there it sat for a long time. Part of the problem is that the size of the document was, um, large due to the number of configuration options that IKE and IPsec require. In the mean time, two other working groups have wanted to make use of the security-policy/filtering mechanisms defined by the first half of the MIB (the smallest and easiest to understand portion of the MIB). However, these WGs were unwilling to use it unless it became a separate document (IE, the conformance statements at the bottom of the MIB were not understood since they specifically documented that implementation of the IPsec portions weren't necessary to claim conformance with the firewall/filtering quarter of the MIB). Anyway.... In an effort to resolve these problems, the authors would like to split the document into 3 parts. 1 part for SPD configuration, 1 part for IPsec parameters and static SAs, and 1 part for IKE. The final reasoning for doing this should be obvious: it will be easy to drop/historic the IKE portion when IKEv2 takes off. If there are no objections to this, we'll do this and republish within a few weeks. Argument Summary: + more readable + more reusable + smaller documents + easy to make the IKE piece historic. -- Wes Hardaker Sparta From owner-ipsec-policy@mail.vpnc.org Mon Nov 10 22:03:02 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA01819 for ; Mon, 10 Nov 2003 22:03:02 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAB2O1kT005837 for ; Mon, 10 Nov 2003 18:24:01 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hAB2O1BI005836 for ipsec-policy-bks; Mon, 10 Nov 2003 18:24:01 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from hoemail2.firewall.lucent.com (hoemail2.lucent.com [192.11.226.163]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAB2NxkT005830 for ; Mon, 10 Nov 2003 18:24:00 -0800 (PST) (envelope-from bwijnen@lucent.com) Received: from nl0006exch001h.wins.lucent.com (h135-85-76-62.lucent.com [135.85.76.62]) by hoemail2.firewall.lucent.com (Switch-2.2.8/Switch-2.2.0) with ESMTP id hAB2Mwh17163 for ; Mon, 10 Nov 2003 20:23:12 -0600 (CST) Received: by nl0006exch001h.nl.lucent.com with Internet Mail Service (5.5.2656.59) id ; Tue, 11 Nov 2003 03:22:56 +0100 Message-ID: <7D5D48D2CAA3D84C813F5B154F43B15502EAF60F@nl0006exch001u.nl.lucent.com> From: "Wijnen, Bert (Bert)" To: Wes Hardaker , ipsec-policy@vpnc.org Subject: RE: Splitting the IPSEC-POLICY-MIB into 3 parts. Date: Tue, 11 Nov 2003 03:22:56 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Makes sense to me Bert > -----Original Message----- > From: Wes Hardaker [mailto:hardaker@tislabs.com] > Sent: maandag 10 november 2003 23:27 > To: ipsec-policy@vpnc.org > Subject: Splitting the IPSEC-POLICY-MIB into 3 parts. > > > > > The MIB for this WG was completed a year ago, and got reviewed by one > AD and the comments were Incorporated. But it has not been reviewed > by one of the security area ADs, and there it sat for a long time. > Part of the problem is that the size of the document was, um, large > due to the number of configuration options that IKE and IPsec require. > > In the mean time, two other working groups have wanted to make use of > the security-policy/filtering mechanisms defined by the first half of > the MIB (the smallest and easiest to understand portion of the MIB). > However, these WGs were unwilling to use it unless it became a > separate document (IE, the conformance statements at the bottom of the > MIB were not understood since they specifically documented that > implementation of the IPsec portions weren't necessary to claim > conformance with the firewall/filtering quarter of the MIB). > > Anyway.... In an effort to resolve these problems, the authors would > like to split the document into 3 parts. 1 part for SPD > configuration, 1 part for IPsec parameters and static SAs, and 1 part > for IKE. > > The final reasoning for doing this should be obvious: it will be easy > to drop/historic the IKE portion when IKEv2 takes off. > > If there are no objections to this, we'll do this and republish within > a few weeks. > > Argument Summary: > + more readable > + more reusable > + smaller documents > + easy to make the IKE piece historic. > > -- > Wes Hardaker > Sparta > From owner-ipsec-policy@mail.vpnc.org Tue Nov 11 11:25:56 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08217 for ; Tue, 11 Nov 2003 11:25:54 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hABFXXkT005842 for ; Tue, 11 Nov 2003 07:33:33 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hABFXXs6005841 for ipsec-policy-bks; Tue, 11 Nov 2003 07:33:33 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from hs3.order-vault.net (www.hs3.order-vault.net [216.71.40.131]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hABFXVkT005814 for ; Tue, 11 Nov 2003 07:33:32 -0800 (PST) (envelope-from lsanchez@xapiens.com) Received: from xapiens.com (dyn134-226.ietf58.ietf.org [130.129.134.226]) (authenticated (0 bits)) by hs3.order-vault.net (8.11.6/8.11.6) with ESMTP id hABFXRT20160 for ; Tue, 11 Nov 2003 10:33:27 -0500 Message-ID: <3FB10145.50909@xapiens.com> Date: Tue, 11 Nov 2003 11:33:25 -0400 From: "Luis A. Sanchez" Organization: Xapiens Corporation User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipsec-policy Subject: Re: Splitting the IPSEC-POLICY-MIB into 3 parts. References: <7D5D48D2CAA3D84C813F5B154F43B15502EAF60F@nl0006exch001u.nl.lucent.com> In-Reply-To: <7D5D48D2CAA3D84C813F5B154F43B15502EAF60F@nl0006exch001u.nl.lucent.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit No one present at the WG meeting last night opposed to the idea of splitting the original IPsec Configuration MIB document into three smaller documents. If anyone on the mailing list has a reason for not doing this please send email to the mailing list. -luis From owner-ipsec-policy@mail.vpnc.org Wed Nov 19 16:04:33 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA11574 for ; Wed, 19 Nov 2003 16:04:32 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAJKS9kT010475 for ; Wed, 19 Nov 2003 12:28:09 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hAJKS9Gd010474 for ipsec-policy-bks; Wed, 19 Nov 2003 12:28:09 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAJKS7kT010466 for ; Wed, 19 Nov 2003 12:28:09 -0800 (PST) (envelope-from dinaras@cnri.reston.va.us) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09790; Wed, 19 Nov 2003 15:27:55 -0500 (EST) Message-Id: <200311192027.PAA09790@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ipsec-policy@vpnc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-ipsp-ipsecpib-09.txt Date: Wed, 19 Nov 2003 15:27:54 -0500 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IP Security Policy Working Group of the IETF. Title : IPSec Policy Information Base Author(s) : M. Li, D. Arneson, A. Doria, J. Jason, C. Wang, M. Stenberg Filename : draft-ietf-ipsp-ipsecpib-09.txt Pages : 97 Date : 2003-11-19 This document describes a portion of the Policy Information Base (PIB) for a device implementing the IP Security Architecture. The provisioning classes defined here provide control of IPsec policy. These provisioning classes can be used with other non-IPsec provisioning classes (defined in other PIB modules) to provide for a comprehensive policy controlled mapping of service requirement to device capability and usage. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-ipsp-ipsecpib-09.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-ipsp-ipsecpib-09.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-ipsp-ipsecpib-09.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2003-11-19144718.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-ipsp-ipsecpib-09.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-ipsp-ipsecpib-09.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2003-11-19144718.I-D@ietf.org> --OtherAccess-- --NextPart-- From owner-ipsec-policy@mail.vpnc.org Fri Nov 21 11:05:36 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA19232 for ; Fri, 21 Nov 2003 11:05:36 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hALFP8kT067774 for ; Fri, 21 Nov 2003 07:25:08 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hALFP8AZ067773 for ipsec-policy-bks; Fri, 21 Nov 2003 07:25:08 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mgw-x1.nokia.com (mgw-x1.nokia.com [131.228.20.21]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hALFP5kT067767 for ; Fri, 21 Nov 2003 07:25:06 -0800 (PST) (envelope-from Man.M.Li@nokia.com) Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x1.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id hALFP5A17699 for ; Fri, 21 Nov 2003 17:25:05 +0200 (EET) Received: from daebh002.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id ; Fri, 21 Nov 2003 17:25:04 +0200 Received: from bsebe001.NOE.Nokia.com ([172.19.160.13]) by daebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6747); Fri, 21 Nov 2003 09:24:46 -0600 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Subject: RE: MIB/PIB doctor review for draft-ietf-ipsp-ipsecpib-09.txt - part 1 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 Date: Fri, 21 Nov 2003 10:24:44 -0500 Message-ID: Thread-Topic: MIB/PIB doctor review for draft-ietf-ipsp-ipsecpib-09.txt - part 1 Thread-Index: AcOuwNJFwuKtroB8Sl6d1/EsMu6CcAAx86zQ From: To: Cc: , , , , X-OriginalArrivalTime: 21 Nov 2003 15:24:46.0506 (UTC) FILETIME=[988B28A0:01C3B043] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id hALFP7kT067769 Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 8bit Hi Bert, Thanks for your comments on the IPsec PIB draft v9. Modifications have been made to address your comments 1-7 and they are described below. Please also take a look at my reply to your comment #8, since any change will create a discrepancy with RFC 3585, I suggest to leave it as is unless you do not agree. Please let me know if any of the modifications described are still not satisfactory. I look forward to hearing more comments from you on the rest of the draft. At which point, we'll submit a new version. Thanks. Best regards Man > -----Original Message----- > From: ext Wijnen, Bert (Bert) [mailto:bwijnen@lucent.com] > Sent: November 19, 2003 12:08 PM > To: Li Man.M (NRC/Boston); 'ho@alum.mit.edu'; 'avri@apocalypse.org'; > 'lsanchez@xapiens.com' > Cc: Steve Bellovin (E-mail); Wijnen, Bert (Bert) > Subject: MIB/PIB doctor review for draft-ietf-ipsp-ipsecpib-09.txt - > part 1 > > > Based on the revision 9 that I received privately: > > 1. I see: > ipSecRuleIfName OBJECT-TYPE > SYNTAX SnmpAdminString > STATUS current > DESCRIPTION > "The interface capability set to which this IPsec rule applies. > The interface capability name specified by this attribute MUST > exist in the frwkCapabilitySetTable [9] prior to association with > an instance of this class." > ::= { ipSecRuleEntry 2 } > > So I wonder: > - would an attribute name of ipSecRuleIfCapSetName not be > better than > ipSecRuleIfName ??? When I see the latter I think of ifName in the > IF-MIB, when I see the former I am more inclined to think about > the capaibilty in the frwkCapabilitySetTable. The latter > would also > be more inline with what we see in other PIB docs (RFC3317 for > example) OK. Name changed to ipSecRuleIfCapSetName. > - what kind of error must be returned when the entry in the > frwkCapabilitySetTable does not yet exist? Added description in the table that the ipSecRule table entry will not be installed if that happens. > - is it clear what values the OID pointers in the > frwkCapabilitySetTable > can/should take when they are associated with an entry in > this ipSec table? Added "The frwkCapabilitySetCapability attribute of that entry shall in turn point to an entry in the ipSecIfCaps table." to make it clear. > > 2. I see > ipSecRuleRoles OBJECT-TYPE > SYNTAX RoleCombination > STATUS current > DESCRIPTION > "Specifies the role combination of the interface to which this > IPsec rule should apply. There must exist an instance in the > frwkRoleComboTable [9] specifying this role combination, together > with the interface capability set specified by ipSecRuleIfName, > prior to association with an instance of this class." > ::= { ipSecRuleEntry 3 } > > - what error must be returned when the entry in frwkRoleComboTable > does not yet exist? Added description in the table that the ipSecRule table entry will not be installed if that happens. > 3. I see > ipSecRuleAutoStart OBJECT-TYPE > SYNTAX TruthValue > STATUS current > DESCRIPTION > "Indicates if this rule should be automatically executed." > ::= { ipSecRuleEntry 11 } > > The name "AutoStart" seems to tell me it needs to be activated when > the class is instantiated. Is that the same as "automatically > executed"? What if the value gets changed to false? Changed to "Indicates if this rule shall be activated when it is instantiated, i.e., start negotiate or statically set security associations. If the value is changed to false later, there is no impact on the security associations that have already started." > > 4. May I assume that if either ipSecStaticActionLifetimeSeconds > or ipSecStaticActionLifetimeKilobytes indicates end of life time > that that indeed marks the end of life? It is not clear what > happens in that case. You may want to clarify. Added the following in ALL lifetime attributes "When both the LifetimeSeconds and LifetimeKilobytes are used, the first lifetime to expire takes precedence." > > 5. I see: > ipSecAssociationVendorId OBJECT-TYPE > SYNTAX OCTET STRING > STATUS current > DESCRIPTION > "Specifies the IKE Vendor ID. .... > > and wonder: what is an IKE Vendor ID? How is it formatted? > Where is that explained? Is a reference usefull? I think so. Added a reference to RFC 2408. There are a couple more VendorId in the draft, will add references to them as well > > 6. WHen I see: > ipSecAssociationDhGroup OBJECT-TYPE > SYNTAX Unsigned16TC > STATUS current > DESCRIPTION > "Specifies the key exchange group to use for phase 2 when the > > I wonder... is that justa random value? Or does each value mean > something, and if so, where is that defined? Added "reference to RFC 2409 for valid Dh group values" to both ipSecAssociationDhGroup and ipSecIkeProposalIkeDhGroup. > > 7. ipSecAssociationGranularity > when reading the DESCRIPTION clause, I wonder if a BITS syntax is > not better here OK. Changed to BITS. > > 8. ipSecAhTransformMaxLifetimeSeconds > I find it strange that zero means a max lifetime of 8 hours here, > where as in an earlier xxxMaxLifeTimeSeconds object/attribute it > meand infinite ?? Is that logical? Does that make sense? All the lifetime attributes and their default values are aligned with RFC 3585. All the maxLifeTimeSeconds seem to use 0 to indicate 8 hours. All other lifetime or minLifetime uses 0 to indicate infinite. We could make changes so that, for example, 0 indicates infinite in all the cases. But that will create discrepancy between this draft and RFC 3585. From owner-ipsec-policy@mail.vpnc.org Sun Nov 23 23:55:46 2003 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA11468 for ; Sun, 23 Nov 2003 23:55:46 -0500 (EST) Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAO4FjkT049330 for ; Sun, 23 Nov 2003 20:15:45 -0800 (PST) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id hAO4FjZX049329 for ipsec-policy-bks; Sun, 23 Nov 2003 20:15:45 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from crufty.research.bell-labs.com (ns2.research.bell-labs.com [204.178.16.49]) by above.proper.com (8.12.10/8.12.8) with ESMTP id hAO4FhkT049321 for ; Sun, 23 Nov 2003 20:15:43 -0800 (PST) (envelope-from madhur@lucent.com) Received: from scummy.research.bell-labs.com (H-135-104-2-10.research.bell-labs.com [135.104.2.10]) by crufty.research.bell-labs.com (8.12.10/8.12.10) with ESMTP id hAO4Fhxl054108 for ; Sun, 23 Nov 2003 23:15:43 -0500 (EST) Received: from zydeco.research.bell-labs.com (zydeco.research.bell-labs.com [135.104.120.150]) by scummy.research.bell-labs.com (8.12.9/8.12.9) with ESMTP id hAO4Fb0C078165 for ; Sun, 23 Nov 2003 23:15:37 -0500 (EST) Received: from lucent.com (dhcp50109.cs.bell-labs.com [135.104.50.109]) by zydeco.research.bell-labs.com (8.12.10/8.12.10) with ESMTP id hAO4FaX0025120 for ; Sun, 23 Nov 2003 23:15:36 -0500 (EST) Message-ID: <3FC185E8.20303@lucent.com> Date: Sun, 23 Nov 2003 23:15:36 -0500 From: Madhur Kohli User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipsec-policy@vpnc.org Subject: Policy 2004: Call for Papers Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit This CFP posted here, with permission of the WG chairs, to solicit participation from members of this community. -- Policy 2004: 5th IEEE International Workshop on Policies for Distributed Systems and Networks 7-9 June 2004 IBM T.J. Watson Research Centre, Yorktown Heights, New York. http://www.policy-workshop.org/2004/ The policy workshop aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including policy-based networking, security management, storage area networking, and enterprise systems. Policy 2004 is the 5th in a series of successful workshops which since 1999 have provided a forum for discussion and collaboration between researchers, developers and users of policy-based systems. This year, in addition to the latest research results from the communities working in the areas mentioned above, we encourage contributions on policy-based techniques in support of: autonomic computing, ubiquitous systems and business rules. Policy 2004 invites contributions in the form of either: - Technical papers (max. length 10 pages). - Short position papers describing preliminary experimental results, experiences with deployed policy systems, and new applications and directions for policies (max. length 4 pages) Paper submission deadline: 19 December 2003 -- Madhur Kohli, Emil Lupu Program Co-chairs, Policy 2004