[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) More Endpoint Attributes
Date: Wed, 15 Mar 95 16:12:07 -0500
From: Andy Bayerl <bayerl@zk3.dec.com>
But that still means that a given transaction carries only a single SAID
which addresses a specific SA. In the MLS CMW world, any or all of the
attributes associates with one or both ends of a connections may modulate.
This means that we need a SAID for all the attribute combinations that
are used during a session. For example, in our (DEC MLS) world using
trusted X-windows, the process privilege set may modulate at a fairly
high frequency. In addition Information Labels may float based upon the
data accessed and visible in a window at any given time. Now for any
given session there may not be a *lot* of different privileges and/or
information labels, but we still would need a SAID to represent each
combination used and the total number is multiplicative as we add more
users with different privileges, more sensitivity levels, etc.
Andy,
You seem to be making an assumption that you need a different
SAID to represent a different SA every time the attributes associated
with a SA changes (or "modulates", using your terminology).
If it is only the attributes associated with an SA which are
modulating, while the SA remains constant --- since a SA lasts the
lifetime of a TCP connection --- why can't the SAID remain the same,
since it is still the same Security Association. True, the process
privilege set may be bouncing up and down, but if it's the same security
association, it should be the same SAID. It's only the attributes which
are changing.
- Ted
Follow-Ups:
References: