[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[5]: (IPng) More Endpoint Attributes

I'm getting confused here.  I guess I don't understand the association
model.  The "IPv6 Security Architecture" in section 5.3 sez " The
Security Association Identifiers (SAIDs) used in the IPv6 security
mechanisms are receiver-oriented, making them well suited for use in IP

I'm trying to figure out what to put in a packet to send it for some
hypothetical example.  Lets assume the first hop is a router that
doesn't know anything about security; it just picks the packet up from
this LAN and moves it to another LAN.  The second hop is a security
aware router and I guess it knows about the SAID and enforces whether
the packet is allowed (or directs the path of the packet depending on
the packet contents).  Eventually the packet ends up at the other host
I want to talk with.

What is the receiver in this case?
	is it the local router that doesn't know about security,
	is the security knowledgeable router, or 
	is it final destination?

If the receiver is the intermediate security aware router, how does 
the sender figure out what SAID that receiver wants?  
I guess I'm assuming the IPv4 model where all the sender knows is 
the next hop.  Maybe there are some IPv6 mechanisms I don't know about.

> To: "Dean D. Throop" <throop@dg-rtp.dg.com>
> Cc: Dean.Jagels@sciatl.com, ipsec@ans.net, bayerl@zk3.dec.com
> Subject: Re: Re[3]: (IPng) More Endpoint Attributes 
> In-Reply-To: Your message of Thu, 16 Mar 95 15:46:00 -0500.
>              <199503162046.AA25161@interlock.ans.net> 
> Date: Fri, 17 Mar 95 10:16:43 -0500
> From: Steve Kent <kent@BBN.COM>

> Dean,
> 	I believe the SAID is meaningful only to the end points of the
> security association.  If a router is acting as an endpoint, then it
> has the necessary labeling info from the association establishment
> procedure.  If a router is not an endpoint, I would not expect it to
> have access to the mapping from SAID to sensitivity level.  Perhaps
> I misunderstood your discussion about routers looking at SAIDs to
> make routing decisions based on sensitivity level.
> Steve

Dean Throop		throop@dg-rtp.dg.com