[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "user" and "network layer" security mechanisms.

To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Subject: Re: "user" and "network layer" security mechanisms.
From: Jon Spencer <spencerj@dg-rtp.dg.com>
Date: Tue, 20 Aug 1996 16:12:11 -0400 (EDT)
Cc: mcr@milkyway.com, ipsec@TIS.COM
In-Reply-To: <199608201732.AA032122323@relay.hp.com> from "Bill Sommerfeld" at Aug 20, 96 01:32:01 pm
Sender: ipsec-approval@neptune.tis.com

> 
> Actually, you don't need to change the vnode interface at all.  All
> the hair lives below the vnode layer, either in the transport layer
> (which needs to carry around security associations in about the same
> way that carries around IP addresses), in the filesystem itself, and
> in the interfaces between the filesystem, the transport, and the IP
> layer.
> 
> To nitpick (I have substantial familiarity with the innards of AFS and
> DCE/DFS, and once had similar familiarity with NFS):
> 
> There's already a "credentials" structure pointer in the vnode
> interface; traditionally, this contains just the effective, real, and
> saved user-id and group-id set.  AFS extends this to also include a
> "pointer" of sorts to the user's cryptographic credentials.  
> 
> This cred structure can be passed around within the kernel between
> different kernel threads/processes; in fact, it has to be, because of
> UNIX permission semantics... file descriptors are capabilities, and
> the credentials you use for I/O are the ones which were effective at
> the time open() was called, not the ones which are currently in effect
> in the current process.

And what do you do with third party streams multiplexers and/or SMP?
Trying to carry around extra credentials, either as an extension to the
credentials packet or as a separate structure pointer to by the credentials
packet falls apart in this scenario, I do think.

As for using the credentials which were effective at open time, this is
fine for standard Unix security policies, but as soon as you attempt to
deal with the more common current threats such as viruses, administrative
threats, internet access to systems with organizational confidential data,
then those policies are woefully insufficient, and some current credentials
are necessary.


-- 
Jon F. Spencer   spencerj@rtp.dg.com  (uunet!rtp.dg.com!spencerj)
Data General Corp.                  Phone : (919)248-6246
62 T.W. Alexander Dr, MS #119       FAX   : (919)248-6108
Research Triangle Park, NC  27709   Office RTP 121/9

	Reality is an illusion - perception is what counts.

	No success can compensate for failure at home.
			President David O. McKay

***** UCC 1-207 ********

Follow-Ups:

Re: "user" and "network layer" security mechanisms.

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

References:

Re: "user" and "network layer" security mechanisms.

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: AH in tunnel mode
Next by Date: Re: "user" and "network layer", continuation and reply.
Prev by thread: Re: "user" and "network layer" security mechanisms.
Next by thread: Re: "user" and "network layer" security mechanisms.
Index(es):
- Main
- Thread