Re: What can applications running over ipsec assume?

[smb@research.att.com]

	  > My own view is that the ipsec layer should pass the security charac
	teristics
	  > of a received packet up to the transport layer.  It, in turn, must
	  > match those characteristics against what the user has requested.  P
	ackets
	  > that don't meet those requirements are dropped.
	  > 
	 This seems sensible. It implies modifications to APIs at 2 layer
	 boundaries.  I guess if there was work proceeding to define these
	 API changes you would have mentioned it...

Well...  The interfaces from IP to the transport layer and from
the transport layer to the user I/O layer aren't open.  That there's
any coherency at all is because of the common ancestry of most
UNIX networking code -- and at that, there are now two very different
interfaces, mbufs+sockets and streams.

The interesting API is the user-to-kernel interface.  The only work I've
seen is draft-mcdonald-ipv6-sec-api-00.txt, which I didn't like for
various reasons.  (My apologies for being vague here; I had some
specific objections, but I don't remember them clearly any more,
and I'd rather not blather.)  I suspect we won't really know what
the API should be like until we've built a few.

---

• Prev by Date: Re: What can applications running over ipsec assume?
• Next by Date: Re: What can applications running over ipsec assume?
• Prev by thread: Re: What can applications running over ipsec assume?
• Next by thread: Re: What can applications running over ipsec assume?
• Index(es):
  • Main
  • Thread