[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Granularity of authentication in swIPe

To: kent@BBN.COM, tytso@ATHENA.MIT.EDU (Theodore Ts'o)
Subject: Re[2]: Granularity of authentication in swIPe
From: "Housley, Russ" <housley@spyrus.com>
Date: Wed, 22 Jun 94 13:19:11
Cc: perry@imsi.com, ipsec@ans.net
Encoding: 952 Text



Ted:

You said:

     It depends on how you look at it.  If IPSP always passes a pointer 
     of the header structure to the crypto software along with the 
     ciphertext portion of the packet, the IPSP layer need not "know" 
     anything about what, if anything, some particular crypto layer 
     might use from the header portion of the packet.  It does has the 
     downside of making it harder to reuse that interface crypto layer 
     for some other non-IPSP layer on top --- but I'm not convinced 
     that that level of modularity is really all that worthwhile.

Boy, do I disagree.  Most cryptographic libraries do not include parsers 
for protocol headers.  Rather, the protocol engine parses the header, and 
then it call on the cryptographic library to encrypt, decrypt, etc.  I just 
do not see cryptography as a "layer."  Rather, I see a security protocol as 
a "layer" that uses cryptographic modules.

Russ

Follow-Ups:

Re: Re[2]: Granularity of authentication in swIPe

From: Hilarie Orman <ho@cs.arizona.edu>

Prev by Date: Fwd: Security architectures, anyone?
Next by Date: Re: Granularity of authentication in swIPe
Prev by thread: Re: Granularity of authentication in swIPe
Next by thread: Re: Re[2]: Granularity of authentication in swIPe
Index(es):
- Main
- Thread