From owner-ipsec-policy@mail.vpnc.org Sun Sep 5 21:16:30 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA05229 for ; Sun, 5 Sep 2004 21:16:27 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i860isGQ064945; Sun, 5 Sep 2004 17:44:54 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i860ismK064944; Sun, 5 Sep 2004 17:44:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from mail.rfburst.com (mail.esmartstart.com [66.119.143.50]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i860irdO064936 for ; Sun, 5 Sep 2004 17:44:53 -0700 (PDT) (envelope-from ho@alum.mit.edu) Received: from localhost.localdomain ([66.119.143.202]) by mail.rfburst.com (8.12.8/8.12.8) with ESMTP id i860j7JC029881 for ; Sun, 5 Sep 2004 18:45:08 -0600 Received: from localhost.localdomain (tobermory [127.0.0.1]) by localhost.localdomain (8.12.8/8.11.6) with ESMTP id i860hrfm018623 for ; Sun, 5 Sep 2004 18:43:53 -0600 Received: (from ho@localhost) by localhost.localdomain (8.12.8/8.12.8/Submit) id i860hrMO018619; Sun, 5 Sep 2004 18:43:53 -0600 Date: Sun, 5 Sep 2004 18:43:53 -0600 Message-Id: <200409060043.i860hrMO018619@localhost.localdomain> From: "The Purple Streak, Hilarie Orman" To: ipsec-policy@vpnc.org Subject: Workshop on Policies X-esmartscan-MailScanner-Information: Please contact the ISP for more information X-esmartscan-MailScanner: Found to be clean X-MailScanner-From: ho@alum.mit.edu Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: This item is probably of interest to ipsec-policy people. Submitted by Arosha Bandara, : Policy 2005 =========== 6th IEEE International Workshop on Policies =========================================== for Distributed Systems and Networks ==================================== http://www.sics.se/policy2005/ 6-8 June 2005 Stockholm, Sweden The policy workshop aims to bring together researchers and practitioners working on policy-based systems across a wide range of application areas including policy-based networking, security management, storage area networking, and enterprise systems. Policy 2005 is the 6th in a series of successful workshops which since 1999 have provided a forum for discussion and collaboration between researchers, developers and users of policy-based systems. This year, in addition to the latest research results from the communities working in the areas mentioned above, we encourage contributions on policy-based techniques in support of: On-demand computing/Utility Computing, SLA/Contract based Management, Virtualization and Policy-based collaboration. As in the previous three years the policy workshop will be co-located with SACMAT 2005. POLICY 2005 invites contributions on all aspects of policy-based computing. Papers must describe original work and must not have been accepted or submitted for publication elsewhere. Submitted papers will be evaluated for technical contribution, originality, and significance. For a list of the topics of interest, please refer to the full CFP at the workshop website: http://www.sics.se/policy2005/ The deadline for submission is December 10, 2004. From owner-ipsec-policy@mail.vpnc.org Tue Sep 28 12:30:49 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA03047 for ; Tue, 28 Sep 2004 12:30:46 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8SFjmaY015681; Tue, 28 Sep 2004 08:45:48 -0700 (PDT) (envelope-from owner-ipsec-policy@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i8SFjmJB015680; Tue, 28 Sep 2004 08:45:48 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ipsec-policy@mail.vpnc.org using -f Received: from smail3.alcatel.fr (smail3.alcatel.fr [62.23.212.56]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i8SFjHAl015632 for ; Tue, 28 Sep 2004 08:45:17 -0700 (PDT) (envelope-from yacine.el_mghazli@alcatel.fr) Received: from frmail30.netfr.alcatel.fr (frmail30.netfr.alcatel.fr [155.132.182.163]) by smail3.alcatel.fr (ALCANET/NETFR) with ESMTP id i8SFfuMT010091; Tue, 28 Sep 2004 17:41:56 +0200 Received: from alcatel.fr ([172.25.72.141]) by frmail30.netfr.alcatel.fr (Lotus Domino Release 5.0.9a) with ESMTP id 2004092817415490:6572 ; Tue, 28 Sep 2004 17:41:54 +0200 Message-ID: <41598642.2080405@alcatel.fr> Date: Tue, 28 Sep 2004 17:41:54 +0200 From: Yacine.El_Mghazli@alcatel.fr Organization: Alcatel R&I User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-gb, fr-fr, en, fr MIME-Version: 1.0 To: ipsec-policy@vpnc.org Cc: Yacine El Mghazli , Michael Baer , hardaker@tislabs.com, rs-snmp@revelstone.com, cliffwang2000@yahoo.com, Julien Bournelle , Yoshihiro Ohba Subject: IPSP MIBs usage review needed References: <40B1B345.6000208@alcatel.fr> <40F2BB06.7050807@alcatel.fr> In-Reply-To: <40F2BB06.7050807@alcatel.fr> X-MIMETrack: Itemize by SMTP Server on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 09/28/2004 17:41:55, Serialize by Router on FRMAIL30/FR/ALCATEL(Release 5.0.9a |January 7, 2002) at 09/28/2004 17:41:57, Serialize complete at 09/28/2004 17:41:57 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; format=flowed X-Alcanet-MTA-scanned-and-authorized: yes Sender: owner-ipsec-policy@mail.vpnc.org Precedence: bulk List-Archive: List-ID: List-Unsubscribe: Content-Transfer-Encoding: 7bit hello all, our document in the PANA WG proposes to re-use the IPSP MIBs in the PANA framework for authorization features. we need people from this group to review the usage example in our I-D (section 6, page 16): http://www.ietf.org/internet-drafts/draft-ietf-pana-snmp-01.txt /* PANA authorization phase in brief: +-----+ PANA +-----+ | PaC |<----------------->| PAA | +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP 4-way handshake +-----+ 1) the PAA authenticates the PaC via PANA (EAP), 2) the PAA configures the access point (the EP) with authz information. in the IPsec-based access control case, we need to configure IKE at the EP, the PAA then provides the following information: - PaC IP address (PaC1-IP@) - "PANA-Session-Id|PANA-Key-Id" as the id_key_id for aggressive mode - "PSK-from-PAA" as the Pre-shared Key for phase 1 exchanges */ thank you in advance for your support, yacine Yacine El Mghazli wrote: > hello, > > this email deals with practical usage of the IPSec configuration MIBs > this working group designed. It is for re-use in the PANA framework (see > http://www.ietf.org/internet-drafts/draft-ietf-pana-snmp-00.txt). > > below is a picture of the PANA functional model: > > RADIUS/ > Diameter/ > +-----+ PANA +-----+ LDAP/ API +-----+ > | PaC |<----------------->| PAA |<---------------->| AS | > +-----+ +-----+ +-----+ > ^ ^ > | | > | +-----+ | > IKE/ +-------->| EP |<--------+ SNMP > 4-way handshake +-----+ > > Figure 1: PANA Functional Model > > > in brief: once the PaC authorized by the PAA and the AS (via EAP), the > PAA is in charge of configuring the access point (EP) with authz > information. > in the IPsec-based access control case, we might want to configure IKE > at the EP: the PAA provides to the EP the following information: > - PaC IP address (PaC-TIA) > - "PANA-Session-Id|PANA-Key-Id" as the id_key_id for aggressive mode > - "PSK-from-PAA" as the Pre-shared Key for phase 1 exchanges > > you'll find below a temptative example of configuration using your MIBs. > if possible, can you please check and correct any mistakes. > > > thanks, > yacine > > ------------------------------------------------------ > so far we define two policy groups ("EP-SPD-IN" and "EP-SPD-OUT"): > > spdEndpointToGroupTable.1 = > spdEndGroupDirection = incoming; > spdEndGroupIdentType = IPv4; > spdEndGroupAddress = EP-ADDR; > spdEndGroupName = "EP-SPD-IN"; > > spdEndpointToGroupTable.2 = > spdEndGroupDirection = outgoing; > spdEndGroupIdentType = IPv4; > spdEndGroupAddress = EP-ADDR; > spdEndGroupName = "EP-SPD-OUT"; > > We define two filters in the "IP Header filter" table: one match IP > packets coming from the PaC, the other match IP packets going to the > PaC. > > spdIpHeaderFilterTable.1 = > spdIpHeadFiltName = "PaC1-TIA Filter SOURCE"; > spdIpHeadFiltType = { sourceAddress ON }; > spdIpHeadFiltIPVersion = v4; > spdIpHeadFiltSrcAddressBegin = PaC1-TIA; > spdIpHeadFiltSrcAddressEnd = PaC1-TIA; > > spdIpHeaderFilterTable.2 = > spdIpHeadFiltName = "PaC1-TIA Filter DEST"; > spdIpHeadFiltType = { destAddress ON }; > spdIpHeadFiltIPVersion = v4; > spdIpHeadFiltSrcAddressBegin = PaC1-TIA; > spdIpHeadFiltSrcAddressEnd = PaC1-TIA; > > -- IKE Phase 1 configuration (agressive mode): > > We define a sub-group in policy group "EP-SPD-IN" of the SPD MIB, > using the "Group contents" table. This sub-group is dedicated to the > IKE traffic coming to the EP: > > spdGroupContentsTable.1 = > spdGroupContName = "EP-SPD-IN"; > spdGroupContPriority = 1; > spdGroupContFilter = ipiaStaticFilters.1; > spdGroupContComponentType = sub-group; > spdGroupContComponentName = "EP-IKE-Phase1-IN"; > > And within this IKE-specific policy sub-group we now specify the rule > to apply for the IKE traffic coming from PaC1. > > spdGroupContentsTable.2 = > spdGroupContName = "IKE-Phase1-IN"; > spdGroupContPriority = 1; > spdGroupContFilter = spdIpHeaderFilterTable.1; > spdGroupContComponentType = rule; > spdGroupContComponentName = "PaC1-IKE-RULE"; > > An entry in the "IP Header filter" table helps defining the filter to > match packets coming from PaC1. > > spdIpHeaderFilterTable.1 = > spdIpHeadFiltName = "PaC1-TIA Filter SOURCE"; > spdIpHeadFiltType = { sourceAddress ON }; > spdIpHeadFiltIPVersion = v4; > spdIpHeadFiltSrcAddressBegin = PaC1-TIA; > spdIpHeadFiltSrcAddressEnd = PaC1-TIA; > > The "Rule Defininition" table links a rule with a given action in the > IKE action MIB. This action will be triggereed upon recepetion at > the EP of an IKE packet coming from PaC1. > > spdRuleDefinitionTable.1 = > spdRuleDefName = "PaC1-IKE-RULE"; > spdRuleDefDescription = "IPSec Access Control for PaC1"; > spdRuleDefFilter = spdIpHeaderFilterTable.1; > spdRuleDefFilterNegated = false (default); > spdRuleDefAction = spdIkeActionTable.1; > > The "IKE action" entry below specifies the main parameters for the > IKE exchanges. > > ipiaIkeActionTable.1 = > ipiaIkeActName = "PaC1-IKE"; > ipiaIkeActParametersName = "SA-PaC1"; > ipiaIkeActThresholdDerivedKeys = 100 (default); > ipiaIkeActExchangeMode = aggressive; > ipiaIkeActAgressiveModeGroupId = xxx [Diffie-Hellman values]; > ipiaIkeActIdentityType = idKeyId; > ipiaIkeActIdentityContext = "PANA"; > ipiaIkeActPeerName = "PaC1"; > > ipiaSaNegotiationParametersTable.1 = > ipiaSaNegParamName = "SA-PaC1"; > ipiaSaNegParamMinLifetimeSecs = xxx; > ipiaSaNegParamMinLifetimeKB = xxx; > ipiaSaNegParamRefreshThreshSecs = xxx; > ipiaSaNegParamRefreshThresholdKB = xxx; > ipiaSaNegParamIdleDurationSecs = xxx; > > The "Peer Identity" table specifically informs the EP on the value of > the idKeyId to use in IKE messages with PaC1: > > ipiaPeerIdentityFilterTable.1 = > ipiaPeerIdFiltName = "PaC1"; > ipiaPeerIdFiltIdentityType = idKeyId; > ipiaPeerIdFiltIdentityValue = "PANA-Session-Id|PANA-Key-Id"; > > The following entry links a given identity (PaC1) with an entry in > the "Credentials" table. > > ipiaIkeIdentityTable.1 = > spdEndGroupIdentType = IPv4; > spdEndGroupAddress = EP-ADDR; > ipiaIkeActIdentityType = idKeyId [?????]; > ipiaIkeActIdentityContext = PANA; > ipiaIkeIdCredentialName = "PaC1-PSK"; > > Finally the pre-shared key derivated at the PAA is set here: > > ipiaCredentialFilterTable.1 = > ipiaCredFiltName = "PaC1-PSK"; > ipiaCredFiltCredentialType = sharedSecret; > ipiaCredFiltMatchFieldName = (sharedSecret); > ipiaCredFiltMatchFieldValue = "PSK-from-PAA"; > > > > > >