[Ipsec-tools-devel] [RFC] New syntax-structure generate_policy?
Brought to you by:
mit_warlord,
netbsd
From: Ludo S. <lu...@pr...> - 2004-06-16 11:16:08
|
Hi all, After some sparring between James and myself we have come to propose the following high level syntactical structure for the policy generation bits of the remote statements: remote anonymous { #peers_identifier handles the authentication, syntax see (1) peers_identifier <type> <identifier> use { #peers_policy handles policy limiting when the remote system # specifies policy, syntax see (2) peers_policy <policy_match_mask> use { generate_policy on; } } peers_identifier <type> <identifier> use { #for these peers generate_policy specifies policy, syntax see (3) generate_policy as <rules>; } } Thus it's is a tree of 1-3 levels deep. Any statement can be used more than once, allowing for flexible setups. syntax-notes: (1) this is the normal syntax as Raccoon allready uses. asn1dn, address, plain_rsa, etc. with wildcard matches on asn1dn components as in James' patch. When some part of the remote statement must be applied to this peer only, the form: use {...} is used. (2) This is a new statement used to limit/select according to the peer's requested policy. The syntax of "policy_match_mask" must still be decided, but it could be something like James earlier suggestions. (3) Generate_policy (on|off|as {...}), the exact form of the <rules> bit of this syntax has also not yet been decided, but it could be something along the lines of Aidas earlier suggestions. What do you guys think about this structure? Greetings, -- Ludo Stellingwerff V&S B.V. The Netherlands ProTactive firewall solution. Tel: +31 172 416116 Fax: +31 172 416124 site: www.protactive.nl demo: http://www.protactive.nl:81/netview.html |