[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Security Last Call Initial Questions (per user keying)
- To: Danny.Nessett@eng.sun.com
- Subject: Re: IPv6 Security Last Call Initial Questions (per user keying)
- From: Theodore Ts'o <tytso@MIT.EDU>
- Date: Fri, 31 Mar 1995 17:22:22 +0500
- Address: 1 Amherst St., Cambridge, MA 02139
- Cc: ipsec@ans.net, jis@MIT.EDU
- In-Reply-To: Dan Nessett's message of Fri, 31 Mar 1995 12:33:39 -0800,<199503312033.MAA04237@elrond.Eng.Sun.COM>
- Phone: (617) 253-8091
Date: Fri, 31 Mar 1995 12:33:39 -0800
From: Danny.Nessett@Eng.Sun.COM (Dan Nessett)
Setting the security context information outside the kernel and doing so
on a per-user basis are two very different things. When per-host keying
is used, the IP implementation already has enough information, e.g., the
destination address, to pass to a user-level daemon to establish/access a
security context. When per-user keying is used, there will be changes
required to the socket/TLI/XTI/etc/ interfaces so that an application can
pass an SPI and security context information to the kernel.
And you consider this difficult? As someone who does kernel hacking for
recreational purposes, adding a socket-level interface which will allow
this information to be passed in on a per-socket level, I would think
this will actually be easier than to do than necessary work of defining
a new interface for specifying which key needs to be used on a per-host
basis.
- Ted