[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions (per user keying)



   Date: Sat, 01 Apr 95 09:56:15 -0500
   From: bound@zk3.dec.com

   We also must make sure that if the default is to not use security per
   the user but does want to now use if for a specific application that it
   is possible without altering the default to not use security by this
   user.

This is an application issue.  My assumption here is that the
application will do its own negotiations to the determine what
authentication/key management scheme (X.509, Kerberos, GSSAPI), etc. to 
obtain a user-level authentication and an a session key.  How this
happense precisely is a application issue and thus out of scope of
IPSEC.

But once the application has negotiated a key, we simply need a way to
allocate an SPI and set that key into the kernels, on both ends of the
connection.  

   I am not clear on what you "define" as the context to be changed above?
   So I will wait to respond.

Well, things are simple if all you need to do is to specify a particular
SPI (and associated security association information) with a TCP
connection when that TCP connection is created.  You just simply need to
set an appropriate socket option before the accept() and listen() calls.
Things are a bit more difficult if you want to change the SPI which
should be used with a TCP connection after the TCP connection is already
established.  That was the second case which I was talking about.  The
"context" I was talking about is the SPI and the associated encryption
information associated with that SPI.

						- Ted