Policy Management System

   

Policy management defines the following interfaces:

  • interface between the directory service and the local database where the policy is stored;

  • interface between the User Interface application and the local policy database that allows read, write, and modify access to the database;

  • interface between IKE and policy database;

  • interface between kernel and the policy database.

The interfaces defined by the policy management should provide the ability to search the database based on one or more selectors. For example, one should be able to look up the policy for a particular <src, dst> pair or the policy for a particular network. It should also be possible to look up both inbound and outbound policy. The policy management should always be deterministic in its matches and should always match the longest prefix.

For example, if you configure a policy for the network 205.15/16 and another policy for the host 205.15.2.1, a search for the policy to 205.15.2.1 should return the policy entry created specifically for the host 205.15.2.1 and not for the network 205.15/16. In cases where it is ambiguous, the policy management should return policy in a deterministic manner. For example, if you configure a policy <205.15/16, 206.1.1.1> (P1) and another policy for <205.15.1.1, 206.1/16> (P2), then a lookup for <205.15.1.1, 206.1.1.1>, you can return either P1 or P2 or both. The proper behavior is to return both and also maintain the same order always.

The interfaces the policy management defines should address all the issues enumerated in the policy definition section. We will not address UI-specific issues in this book as it is impossible to make specific recommendations on UI that are universally acceptable! The interface between the UI application and the database can be similar to the interface between the database and IKE. We will discuss this in the next section.

Kernel Support

The IPSec kernel consults the policy to determine the security services afforded to a packet. If the policy database is maintained in the user space, for every packet, the kernel needs to context switch into the user space to look up the policy. This operation is very expensive. It is almost mandatory for the kernel to maintain its own copy of the security policy database.

It is the policy management application's responsibility to update the kernel's SPD. As an implementor, you can define your own interface between the policy management application and the kernel. There has been some work at the IETF in defining the interface between the policy management application and the kernel. This interface is called PF_KEY, and is modeled after PF_ROUTE socket interface into the Kernel's routing table.

The policy management system should modify/delete/add entries to the kernel's SPD instantaneously. It should also provide the ability for bulk updates and not just one policy record at a time. This is critical for boot performance.

The policy management application should also support manual keying. It should be able to add and delete manual SAs.

IKE Support

IKE is invoked by the kernel or by the policy management application or by another IKE peer to establish keys. The kernel invokes IKE when it needs an SA for secure communication or if an SA has expired and it needs to establish new SA. The policy management application invokes IKE if it establishes keys before the kernel needs it to reduce delays for a new connection.

The kernel or the policy management application can invoke IKE in one of two ways:

  1. pass just the selectors, in which case IKE has to consult the user level policy database to determine the policy;

  2. pass the full policy.

If you choose option 1, the access to the user-level policy database has to be synchronized between IKE and the policy management application.

When IKE responds to a key negotiation request, it needs an interface to the user-level SPD to choose the parameters for the connection. The policy database lookup is based on selectors.

Another important aspect of policy management for IKE support is certificates. The IETF is working on standards for storage and retrieval of certificates. It is our belief that these technologies are not mature and it will be a few years before we see actual deployment of a large public key infrastructure. During this period, the certificates will be stored locally and fetched from a directory. The policy management system should provide the ability to store/delete certificates in its database and also provide an interface to fetch certificates from its database to IKE. Certificate support in IPSec is discussed in greater detail in Chapter 11.


   
Top


IPSec(c) The New Security Standard for the Internet, Intranets, and Virtual Private Networks
IPSec (2nd Edition)
ISBN: 013046189X
EAN: 2147483647
Year: 2004
Pages: 76

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net