Policy Based Security Management for IPSec Luis A. Sanchez August 25, 1998 Page 1 Page 1
Outline � Problems � Requirements � A Solution � Next Step Page 2 Page 2
Problems � Need a common security policy specification language � Need to specify enforcement points for each policy � Discovery of security gateways � Resolution of security requirements for inter- domain communication � Consistency checking of local security policies � Management of dynamic security associations Page 3
Requirements � Support for complex topologies t multiple embedded tunnels � Support for legacy systems t non IPSec compliant � Scalable and deployable incrementally � Independence of protocol suite, KMP � NAT Friendly � Graceful failure Page 4
A Solution SS 1 RPY2 SS 2 RPY21 SS 21 CMD21 CMD2 C REQ21 REQ2 RPY1 REQ21 1 M RPYd REQd REQ REQ2 D 1 Src Dst SG 1 SG 2 SG 21 Domain 1 Domain 2 Domain 2.1 Security Policy Negotiation Protocol (SPP) Message Flow Legend Functions SPP Messages provides server and security services discovery l domain based policy resolution ● REQ#: SPP-Request l enforcement point selection ● RPY#: SPP-Reply l security association bundle management ● CMD#: SPP-Policy Page 5 l
Next Step � Code Release: Pre-Alpha by End of Sept. 1998 � 2 Internet-Drafts underway: t Security Policy Specification Language t Security Policy System (policy exchange and resolution protocol) � Request feedback from Community and vendors in general � any questions: t lsanchez@bbn.com Page 6
Recommend
More recommend
