[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions (per user keying)




Dan Nessett says:
> >  On the contrary.  In so far as we are requiring the support of
> >  out-of-band keying as a default mechanism which must be implemented, the
> >  ability to set the security context information outside of the kernel is
> >  both (a) trivial, and (b) a good idea in terms of requiring abstraction
> >  boundaries.
> 
> Setting the security context information outside the kernel and doing so
> on a per-user basis are two very different things. When per-host keying
> is used, the IP implementation already has enough information, e.g., the
> destination address, to pass to a user-level daemon to establish/access a
> security context. When per-user keying is used, there will be changes
> required to the socket/TLI/XTI/etc/ interfaces so that an application can
> pass an SPI and security context information to the kernel.

You speak of these changes as if they were some sort of obstacle. They
aren't. They are just a few additions to the API, and aren't such a
big deal. I believe that more than one of us has already prototyped
such additions to the API and they seem straightforward.

BTW, I would appreciate it if you used our terminology. "SPI" isn't
the local jargon, and it gets difficult to keep track of all the terms
being bandied about. Please say "Security Association" or "SAID" if
you are refering to one of those...

Perry


Follow-Ups: References: