[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions (per user keying)

Dan Nessett says:
> means that an IPv6 implementation must accept an SPI from an application
> and use it, then I think there might be some problems. For example,
>  o  If the security context associated with a particular SPI is retrieved
>     from somewhere other than the requesting process, how would the
>     IP implementation know the application has the right to use it? 

Very easily. My implementation for 4.4BSD has a design to handle this
very nicely. Security Association related information is stored in the
kernel in SA structures, which are pointed to by the socket
structures. The processes have very limited ability to alter the
associations on their own, but they can be passed the associations
using the same mechanisms BSD uses to pass file descriptors
around. Its all very clean, if I do say so myself.

>  o  If the security context is accepted from the process along with
>     the SPI, how is this going to affect the programming interface? For
>     example, how will the security context state be passed in a way that
>     leaves existing interfaces reasonably unaffected (e.g., will new
>     ioctl calls to specify the integrity and confidentiality algorithms,
>     the keying information, and other security mechanism specific data
>     be required? Will there be new informational ioctl calls to find
>     out which algorithms the IP implementation supports?)?

Well, new calls (not ioctls) are indeed needed. You call this a
problem. This is hardly a problem. Old programs need not pay
attention, and new ones can if they like.

> IPv6 was agreed on after there was some implementation experience on
> which to base the decision. As far as I can tell, there is no
> implementation experience on which to base the decision for or
> against a mandatory requirement for supporting application supplied
> SPIs.

You are mistaken. I am developing the experience (so far no problems
have arisen), and I believe Ran is developing experience.

> So I still argue against making this a mandatory requirement.

If I might sound like a broken record, it would appear that you are
really against this because SKIP can't support it.