[Ipsec-tools-devel] [RFC] New syntax-structure generate_policy?
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-devel] [RFC] New syntax-structure generate_policy?
|
From: Ludo S. <lu...@pr...> - 2004-06-16 11:16:08
|
Hi all,
After some sparring between James and myself we have come to propose the
following high level syntactical structure for the policy generation
bits of the remote statements:
remote anonymous {
#peers_identifier handles the authentication, syntax see (1)
peers_identifier <type> <identifier> use {
#peers_policy handles policy limiting when the remote system
# specifies policy, syntax see (2)
peers_policy <policy_match_mask> use {
generate_policy on;
}
}
peers_identifier <type> <identifier> use {
#for these peers generate_policy specifies policy, syntax see (3)
generate_policy as <rules>;
}
}
Thus it's is a tree of 1-3 levels deep. Any statement can be used more
than once, allowing for flexible setups.
syntax-notes:
(1) this is the normal syntax as Raccoon allready uses. asn1dn, address,
plain_rsa, etc. with wildcard matches on asn1dn components as
in James' patch. When some part of the remote statement must be applied
to this peer only, the form: use {...} is used.
(2) This is a new statement used to limit/select according to the peer's
requested policy. The syntax of "policy_match_mask" must still be
decided, but it could be something like James earlier suggestions.
(3) Generate_policy (on|off|as {...}), the exact form of the <rules> bit
of this syntax has also not yet been decided, but it could be something
along the lines of Aidas earlier suggestions.
What do you guys think about this structure?
Greetings,
--
Ludo Stellingwerff
V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124
site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
|