Re: IPv6 Security Last Call Initial Questions (per user keying)

[Danny.Nessett@eng.sun.com (Dan Nessett)]

Ted,

You argue :

>  On the contrary.  In so far as we are requiring the support of
>  out-of-band keying as a default mechanism which must be implemented, the
>  ability to set the security context information outside of the kernel is
>  both (a) trivial, and (b) a good idea in terms of requiring abstraction
>  boundaries.

Setting the security context information outside the kernel and doing so
on a per-user basis are two very different things. When per-host keying
is used, the IP implementation already has enough information, e.g., the
destination address, to pass to a user-level daemon to establish/access a
security context. When per-user keying is used, there will be changes
required to the socket/TLI/XTI/etc/ interfaces so that an application can
pass an SPI and security context information to the kernel.

Dan

---

Follow-Ups:

• Re: IPv6 Security Last Call Initial Questions (per user keying)
• From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>
• Re: IPv6 Security Last Call Initial Questions (per user keying)
• From: "Perry E. Metzger" <perry@imsi.com>

---

• Prev by Date: Re: IPv6 Security Last Call Initial Questions
• Next by Date: Re: IPv6 Security Last Call Initial Questions (per user keying)
• Next by thread: Re: (IPng) Proposed Standard or no?
• Index(es):
  • Main
  • Thread