[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What can applications running over ipsec assume?
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
I've been following the ipsec work for just about a year now, from
(among other things) the point of view of being a potential user of
these protocols.
As best I can tell, the current IPSEC architecture documents make no
mention of what services are visible from the point of view of
*applications* running on top of transport-layer protocols running
over ipsec.
Clearly, certain guarantees need to be made in order for IPSEC to
provide useful security services to applications. A number of them
seem fairly obvious to me.. but if everyone doesn't agree on what
these guarantees are, either interoperability or security or both will
suffer.
My own view is that the ipsec layer should pass the security characteristics
of a received packet up to the transport layer. It, in turn, must
match those characteristics against what the user has requested. Packets
that don't meet those requirements are dropped.
Follow-Ups: