[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions (per user keying)

To: Danny.Nessett@eng.sun.com
Subject: Re: IPv6 Security Last Call Initial Questions (per user keying)
From: Theodore Ts'o <tytso@MIT.EDU>
Date: Thu, 30 Mar 1995 21:14:47 +0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: ipsec@ans.net, jis@MIT.EDU, sun-ipng-project@sunroof.eng.sun.com
In-Reply-To: Dan Nessett's message of Thu, 30 Mar 1995 16:48:09 -0800,<199503310049.AA10936@interlock.ans.net>
Phone: (617) 253-8091

   Date: Thu, 30 Mar 1995 16:48:09 -0800
   From: Danny.Nessett@Eng.Sun.COM (Dan Nessett)

   means that an IPv6 implementation must accept an SPI from an application
   and use it, then I think there might be some problems. For example,

    o  If the security context associated with a particular SPI is retrieved
       from somewhere other than the requesting process, how would the
       IP implementation know the application has the right to use it? 

Presumably the SPI will include the necessary keying material for the
security context.  If the application doesn't have the right to use it,
then it shouldn't have it.  If the application does have access to
keying material which it shouldn't have a right to, then you've got
bigger problems.....

I believe what's driving this as a requirement is that some applications
may want to exchange keying information on a user-specific level, using
some GSSAPI mechanism (including perhaps Kerberos), and that there be a
way to set the keys derived from authentication done at a user-specific
granularity to be used by the IPsec encryption encapsulation.

							- Ted

References:

Re: IPv6 Security Last Call Initial Questions (per user keying)

From: Danny.Nessett@eng.sun.com (Dan Nessett)

Prev by Date: Re: IPv6 Security Last Call Initial Questions
Next by Date: Re: IPv6 Security Last Call Initial Questions
Next by thread: Re: (IPng) Proposed Standard or no?
Index(es):
- Main
- Thread