Reconciling multiple IPsec and firewall policies

Manually configuring large firewall policies can be a hard and error-prone task. It is even harder in the case of IPsec policies that can specify IP packets not only to be accepted or discarded, but also to be cryptographically protected in various ways. However, in many cases the configuration task can be simplified by writing a set of smaller, independent policies that are then reconciled consistently. Similarly, there is often the need to reconcile policies from multiple sources into a single one. In this paper, we discuss the issues that arise in combining multiple IPsec and firewall policies and present algorithms for policy reconciliation.