[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[5]: (IPng) More Endpoint Attributes

To: "Dean D. Throop" <throop@dg-rtp.dg.com>
Subject: Re: Re[5]: (IPng) More Endpoint Attributes
From: Steve Kent <kent@BBN.COM>
Date: Fri, 17 Mar 95 18:30:00 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of Fri, 17 Mar 95 12:48:43 -0500. <9503171748.AA26245@commtg3>

Dean,

	In your example, the first router to implement IPSP (an
intermediate vs. first hop router in yoru example) would be an IPSP
endpoint, and the final destination would be an IPSP endpoint.  The
SAIDs exist only at the intermediate router and the final destination.
I assume the sender does not implement IPSP in your example and thus
it does not deal with an SAID.  The tone of your comments makes the
SAID sound more like a security label, which it is not.  Only systems,
hosts or routers, implementing IPSP make use of SAIDs.  Perhaps an
issue you are raising indirectly is how does a host communicate its
security requirements to a router (first hop or intermediate), where
IPSP is implemented.  In other network layer security protocols there
is not facility for this; rather the router makes its decisions about
what security service to provide based on local management info and an
examination of (IP and, if it cheats, TCP) header information.  In
such cicrumstances, there is not a one-to-one corrspondence between
SAID and source/destination IP addresses, because the router may group
security-equivalent streams associated with different hosts into a
single security association that terminates at another router.

Steve

Prev by Date: Re: Routing
Next by Date: Re: A Photuris variant
Prev by thread: Re: Routing
Next by thread: Comments on draft-metzger-ah-01.txt
Index(es):
- Main
- Thread