[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Security Last Call Initial Questions (per user keying)
- To: Danny.Nessett@eng.sun.com
- Subject: Re: IPv6 Security Last Call Initial Questions (per user keying)
- From: Theodore Ts'o <tytso@MIT.EDU>
- Date: Fri, 31 Mar 1995 14:30:37 +0500
- Address: 1 Amherst St., Cambridge, MA 02139
- Cc: ipsec@ans.net, jis@MIT.EDU
- In-Reply-To: Dan Nessett's message of Fri, 31 Mar 1995 08:34:50 -0800,<199503311634.IAA04100@elrond.Eng.Sun.COM>
- Phone: (617) 253-8091
Date: Fri, 31 Mar 1995 08:34:50 -0800
From: Danny.Nessett@Eng.Sun.COM (Dan Nessett)
Your suggestion :
> Presumably the SPI will include the necessary keying material for the
> security context.
if I understand it correctly, confuses the SPI, which is the 32 bit
identifier carried in IP packets, with the security context
information it identifies. The SPI is just a number that anyone can
guess or snoop from the network.
... which recent messages have termed the "SAID". This may all be a
confusion with the terminology that's used.
and I am not opposed to trying this idea out. My only dispute is
making the support for it mandatory. Claims by Perry Metzger to the
contrary, I don't think we know enough about this approach to force
implementers to support it.
On the contrary. In so far as we are requiring the support of
out-of-band keying as a default mechanism which must be implemented, the
ability to set the security context information outside of the kernel is
both (a) trivial, and (b) a good idea in terms of requiring abstraction
boundaries.
As Ran said, I don't see this as an editorial change, but rather being
more explicit in stating what has always been the case, as a fundamental
design philosophy.
- Ted