Re: "user" and "network layer" security mechanisms.

[wobber@pa.dec.com]

Charles Watt says:

>>    The bottom line:  if you use a network layer security protocol to
>>    propagate user-level information, you can cover perhaps 95% of current
>>    use (you can invent a number just as easily as I) easily, but you will not 
>>    be able to cover everything.  How critical is this shortfall?  Well that's
>>    rather dependent upon what you are doing, isn't it?

In a Mandatory Access Control world, perhaps this 5% shortfall is 
a significant problem.

However, in less-rigorous environments it would seem a Good Thing 
to offer user-level security to a broad majority of applications
without inventing yet another security infrastructure at application 
level.

As long as IPSec enables security policies that restrict the form of 
acceptable SA identities (e.g. to IP addresses), I can see little 
reason to enforce such a limit by mandate. 

However, I am concerned about your comments on the cost of "propagating" 
user-level identity within the network code.  How much of this cost 
do you attribute to the nature of your MAC environment?  I imagine 
that for some protocol elements the job might have been straightforward, 
and for others not.  Does the majority of the cost come from fitting 
square pegs into round holes? 

Regards,

Ted Wobber
DEC Systems Research Center

---

Follow-Ups:

• Re: "user" and "network layer" security mechanisms.
• From: Ran Atkinson <rja@cisco.com>

---

• Prev by Date: Re: "user" and "network layer" security mechanisms.
• Next by Date: Re: "user" and "network layer" security mechanisms.
• Prev by thread: Re: "user" and "network layer" security mechanisms.
• Next by thread: Re: "user" and "network layer" security mechanisms.
• Index(es):
  • Main
  • Thread