1. Technical Field of the Invention
This invention pertains to virtual private network (VPN) implementations, a fundamental enabler for E-business. More particularly, it relates to IP security, providing data encryption and authentication at the IP datagram level through the use of VPN policy filters.
2. Background Art
Virtual Private Network (VPN) is a fundamental enabler for electronic business. IP Security, the technology VPNs are built upon, provides data encryption and authentication at the IP datagram level of TCP/IP.
A security policy database (SPD) is, logically, a collection of rules which define how to select IP traffic for the various security associations (SAs). The xe2x80x9cSAsxe2x80x9d are stored in what is termed the SA database (SAD). Logically, the SPD maps traffic to a particular SA. These are implemented as filter rules. An SPD is a term and concept in the IPsec architecture (RFC 2401), recently approved by the IETF as a proposed standard.
In the prior art, users generate their list of filter rules by hand, and once a set is defined it is an ordered list and is loaded as a set. Once loaded, the set cannot be changed. The rule set is changed by removing the loaded set, and replacing it. It has heretofore not been permitted to load individual filter rules within the set. Thus, the invention objective relates to the dynamic placement of individual filter rules in an existing set of filter rules. The xe2x80x98placement problemxe2x80x99 has two aspects, which must be solved in turn. The first is termed the xe2x80x98macroxe2x80x99 placement problem, because it deals with the large scale placement of filter rules in the set of all system filter rules.
In accordance with current requirements, to ensure consistent, predictable processing, SPD entries must be ordered and the SPD must always be searched in the same order, so that the first matching entry is consistently selected. This requirement is necessary as the effect of processing traffic against SPD entries must be deterministic, but there is currently no way to dynamically order or structure SPD entries. In addition to the problem of physical arrangement, is the important problem of how the various VPN connections which start and stop dynamically, should relate to each other and existing filter rules.
If all the SPD entries were fairly static, a solution is to present the list of SPD entries in some suitable form to the user, who would then order it, then re-load the new ordering. Aside from the perhaps unappealing mechanics, the problem with this is that the SPD entries are not static. Both initiator and responder-mode connections require dynamically loading new connection filters. It is, therefore, not practical to expect the user to order these filters dynamically. Another approach would be to have the user specify an a priori ordering for connections started locally (say, auto-started or scheduled). The problem with this is that it adds yet another level of complexity to the already complex VPN configuration process, and does not work for responder-mode connections without even additional configuration complexity and perhaps unnecessary restrictions on responder-mode connections.
IP filter rules are processed top-to-bottom, in the order given by the user. IP security introduces a new level of complexity, because the filter rules now have to be placed in the right position dynamically by the system, since IP Security connections are dynamic. These filter rules also have to be removed dynamically. The IP Security (IPsec) Architecture (RFC2401) does not actully define, much less suggest a solution for, the placement problem. There is, therefore, a need in the art for a system and method which gives the user direct and simple control over how its IP Security policy is enforced without requiring the customer to order the filter rules for each IP Security connection.
It is an object of the invention to provide an improved system and method for managing a set of filter rules.
It is a further object of the invention to provide a system and method for dynamically loading individual connection filters in a preexisting set of filters.
It is a further object of the invention to provide a system and method for enforcing a user""s security policies, in the absence of started connections. It is a further object of the invention to provide a solution for the macro placement of connection filters.
In accordance with the invention, a system and method are provided for implementing an IP security policy by manually specifying the order of policy filters within a filter set and thereafter dynamically placing VPN connection filters in the set of filters.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.