[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: user keys

To: cmadson@wellfleet.com (Cheryl Madson)
Subject: Re: user keys
From: "Perry E. Metzger" <perry@imsi.com>
Date: Wed, 14 Dec 1994 11:30:02 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Wed, 14 Dec 1994 07:00:35 EST." <9412141200.AA19289@wellfleet>
Reply-To: perry@imsi.com


Cheryl Madson says:
> Anyhow, I trust that the requirement on per-user keying is for end
> systems only (or for intermediate systems that need to protect the
> data that they themselves generate); I hope that this wasn't being
> envisioned for encrypting routers or other external "transparant"
> encrypting devices.

I believe that you are correct on this, or that, rather, in the
"secure routing between secure networks over insecure networks" case
case the "user" might be thought of as the routing system and not the
end user.

By the way, "user" really means "entity doing something to make the
packet enter the IPSP layer". On an end system, thats a client or
server program combined with the user id. This is not necessarily an
individual user in many cases; one might have different keys for
different daemons, for example, even though on some operating systems
the daemons might run under the same "user".

Of course, this all an excessively complicated way of saying that,
yes, indeed, routers don't have to (and indeed in practice cannot)
provide per end-user keys -- although they might still provide
multiple keys between the same endpoints for all sorts of other
reasons, like assigning some traffic to faster but less secure crypto
methods or breaking up traffic to try to deceive SAID based traffic
analysis.

.pm

References:

user keys

From: cmadson@wellfleet.com (Cheryl Madson)

Prev by Date: Re: user keys
Next by Date: key management layering
Prev by thread: user keys
Next by thread: Re: user keys
Index(es):
- Main
- Thread