[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "user" and "network layer" security.

To: ipsec@TIS.COM
Subject: Re: "user" and "network layer" security.
From: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Date: Mon, 19 Aug 1996 09:25:37 -0400
Sender: ipsec-approval@neptune.tis.com

> From: "M.C.Nelson" <netsec@panix.com>
> 
> There is no concept of "user" at the IP layer (i.e. the network layer).  
> [A:] Moreover, there is no clean and reliable way to map from IP datagram to
> user.  Any such code will be problematic unless the functionality of
> IP is severely altered.  [B:] For example, consider a transport protocol
> that combines service to several users simultaneously.

IP datagrams can, however, be associated unambiguously with src and dst
addresses and port numbers, which (must necessarily) map unambiguously to
processes, which in turn can map to users on those systems which support
the notion of users.  Your example B above is proof that assertion
A is incorrect.

> The most appropriate place to discuss and design "user" security 
> mechanisms woud seem to be in another discussion group.

IPSEC is designing two protocols.  One of them operates at the IP layer
and performs transforms on packets.  The other operates at the application
layer and establishes the keys for the first.

It may indeed be appropriate to divide the effort into two working groups
and two mailing lists.  It would certainly be easier to explain what is
meant for a product to be "IPSEC-compliant" if there were another label
"IP-SA-MGT-compliant" to remove the overloading from the first.  But the
current IPSEC charter is not so divided, therefore discussions of key
management, application-layer daemons, and "users" are currently
appropriate for this group.

> It is difficult
> to understand how one could use the term "user" anywhere below the 
> application layer.

Perhaps it would be easier to understand how the term "context" (in the
sense of the X window system's "graphics context" - a pointer to a
blob of data) fits in at the IP layer.  IP doesn't need to interpret
the entire contents of the blob, just the parts it's interested in.

To: "Mitchell C. Nelson" <nelson@mcn.netsec.com>
Cc: ipsec@TIS.COM, netsec@panix.com
Subject: Re: "user" and "network layer" security mechanisms. 
In-Reply-To: Your message of "Fri, 16 Aug 1996 16:55:16 EDT."
             <199608162055.QAA01070@mcn.netsec.com> 
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Mon, 19 Aug 1996 11:02:16 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9608191101.aa03898@neptune.TIS.COM>

"Mitchell C. Nelson" writes:
> Language in the Internet draft IPSEC architecture, and in its predecessor
> RFC 1825, refer to "IP-layer security".  This is in itself consistent with
> lanquage in the IPSEC charter that refers to a "security protocol in the
> network layer".  However, several contributions to this discussion group
> as well other lanquage in the IPSEC docments, refer to the term "user". 
> This is curious.
> 
> There is no concept of "user" at the IP layer (i.e. the network layer).  

You seem to have missed the point, which is that IPSEC has this notion
of "security association" (actually, now its called "Security
Parameters" and has the associated "Security Parameters Index").

Why don't you go through the archives instead of making guesses about
what you think IPSEC does?

Perry

Prev by Date: Re: (IPng 2039) Re: IPv6 encryption requirement
Next by Date: No Subject
Prev by thread: "user" and "network layer" security.
Next by thread: Re: "user" and "network layer" security.
Index(es):
- Main
- Thread