IPSP Configuration Model Framework Feedback

1. IPSP Configuration ModelFramework Feedback • IPSP Configuration Information Model (ICIM) • http://rafalow.home.mindspring.com/dmtf.htm • http://www.dmtf.org/spec/cims.html • Feedback discussions Lee Rafalow rafalow@raleigh.ibm.com IPSP WG & Policy WG 49th IETF - San Diego

2. DMTF Device-Model Overview 49th IETF - San Diego

3. Derived from Policy Framework 49th IETF - San Diego

4. Filter-based Conditions 49th IETF - San Diego

5. Actions, Proposals & Transforms 49th IETF - San Diego

6. IPSP Configuration Info Model Feedback Discussion • Many of the differences in the models can be traced back to: • PCIM is a general framework • QPIM is a domain-level policy model • QDDIM is a device-level model of operational behavior • ICIM is a device-level policy model • A few are just different approaches 49th IETF - San Diego

7. Condition Differences • Filters & “Atoms” (QPIM) • IPSP provides for discipline-specific condition evaluation information using associations to a FilterList and CredentialManagementService • QPIM defines subclasses of Condition that provide a general <variable><operator><value> grammar • Implicit Condition Semantics • IPsec protocol provides identity information at different times in the protocol sequence • Condition evaluation is predicated on presence of the information, i.e., semantic of identity and credential filter is compound “if present and <matchcondition>” if <address filter> and <identity filter> may evaluate to TRUE in early stage of Phase 1 and evaluate to FALSE once identity information is available 49th IETF - San Diego

8. IPsecPolicyGroupInPolicyGroup.GroupPriority (QPIM) IPSP models GroupPriority in the aggregation QPIM models gpPriority as a property of gpsPolicyGroup (in the same way as RulePriority) Rules in exactly one group (PCIM) Unique Rule & Group Priority values (PCIM) Deterministic rule evaluation order Decision Strategy (QPIM) IPSP decision strategy is Match First, implicit QPIM has explicit decision strategies defined in qpPolicyDomain.gpPolicyRuleMatchMethod and gpsPolicyGroup.gpNamedPolicyRuleMatchMethod Group-related Differences 49th IETF - San Diego

9. Policy Roles • PolicyGroup, Roles & Interface Bindings (PCIM) • IPsec model defines explicit association between IPsecPolicyGroup and interfaces (IPProtocolEndpoint) to which it applies • PCIM defines PolicyRole on a rule basis, association by named relationship • IKERule.IdentityContexts & Roles (PCIM) • IdentityContexts uses roles and role combinations syntax • Provides named relationship between IKERule and appropriate local identity to use, used with other properties • IKEAction.UseIkeIdentityType • IPProtocolEndpoint 49th IETF - San Diego

10. Inheritance Discussion • Device-level model structures • QDDIM is a model of operational behavior, derives from operational classes • IPSP ICIM is a policy model, derives from Policy classes • PolicyActions vs. Settings • Some disagreement about class derivations • Multiple inheritance in a single inheritance environment • Bypass and Discard 49th IETF - San Diego

11. Other Discussion Topics • PolicyRule.SequencedActions (PCIM) • “Mandatory” but with a “use first appropriate” semantic, extend enumeration values? • PolicyElementInRepository (QPIM) • IPSP defines …InRepository associations for SAProposal & SATransform, weak associations • QPIM defines one general association 49th IETF - San Diego