Abstract

Manually configuring large firewall policies can be a hard
and error-prone task. It is even harder in the case of IPsec
policies that can specify IP packets not only to be accepted
or discarded, but also to be cryptographically protected in
various ways. However, in many cases the configuration
task can be simplified by writing a set of smaller, independent
policies that are then reconciled consistently. Similarly,
there is often the need to reconcile policies from
multiple sources into a single one. In this paper, we discuss
the issues that arise in combining multiple IPsec and
firewall policies and present algorithms for policy reconciliation.

‚Äč