Policy conditions consist of a variety of selection criteria that act as filters for IP filtering rules. Traffic can be filtered based on source and destination IP addresses, source and destination ports, protocol, direction, routing information, and security class. For other types of IPSec policies, policy conditions contain information about dynamic key exchange filters or dynamic VPN tunnels. For more details, see IP security.
IP filter rules and key exchange rules can refer to one or more policy conditions. A policy rule with a single policy condition is known as a simple rule, while one with more conditions is known as a complex rule. Complex IP filter rules and key exchange rules have their conditions evaluated according to Conjunctive Normal Form (CNF), which means an ANDed set of ORed conditions. For details on CNF, see Policy object model overview.
If multiple source addresses (or address ranges) are specified in a rule, the rule is considered complex. Multiple source addresses can be specified by referencing a set or group of addresses from the rule (IpSourceAddrGroupRef).
If multiple destination addresses (or address ranges) are specified in a rule, the rule is considered complex. Multiple destination addresses can be specified by referencing a set or group of addresses from the rule (IpDestAddrGroupRef).
If multiple IpService statements are specified in a rule, the rule is considered complex. Multiple IpService statements can be specified either inline or by referencing a group of IpService statements (IpServiceGroupRef).
If the Direction parameter in an IpService statement is configured as bidirectional, the rule is considered complex.
Complex key exchange rules are split to produce multiple simple rules. The IKE daemon retrieves simple rules when necessary. The following conditions can make a complex key exchange rule:
If multiple IP addresses (or address ranges) are specified in a local security endpoint, the associated key exchange rule is considered complex. You can specify multiple IP addresses by referencing a set or group of addresses from the local security endpoint (LocationGroupRef).
If multiple IP addresses (or address ranges) are specified in a remote security endpoint, the associated key exchange rule is considered complex. You can specify multiple IP addresses by referencing a set or group of addresses from the remote security endpoint (LocationGroupRef).
For more details on these IPSec policy configuration statements and parameters, see z/OS Communications Server: IP Configuration Reference.
The pasearch command displays IP filter rules and key exchange rules as complex rules, and not split as installed in the TCP/IP stack or retrieved by the IKE daemon.
For IP filter rules and key exchange rules, the condition level summaries are not applicable and are always displayed as all zeros.