Re: ISAKMP DOI Question (General, Not IP Specific)

[dan.mcdonald@eng.sun.com (Dan McDonald)]

<Pine.LNX.3.94.961218131355.3555A-100000@P-spatsch.cs.arizona.edu> from
"Oliver Spatscheck" at Dec 18, 96 01:15:54 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk

> >On outbbound calls there is no notion of a SPI. The only information 
> >available to identify an SA is:
> >
> >Destination Addr
> >Port number
> >
> I think that is an API question. Our API allows to attach a SPI to
> outbound traffic at the application layer.

I agree with Oliver and Ran that on outbound data, you can (or should be able
to) specify quite a bit about what properties you want in your SA (or SAs).

What worries me a little here (Steve Bellovin, help me out here anytime you
wish!  :) is that I can specify the actually security association of the
outbound traffic.

On a single-user system, this isn't so bad, but on a multi-user box with
malicious users, this could cause all sorts of chosen-plaintext problems.

Just a thought.
--
Daniel L. McDonald | Mail: danmcd@eng.sun.com   Phone: (415) 786-6815        +
Software Engineer  | *** My opinions aren't necessarily Sun's opinions! ***  |
SunSoft Internet   | "rising falling at force ten                            |
        Engineering|  we twist the world and ride the wind"  -  Rush         +

---

Follow-Ups:

• Re: ISAKMP DOI Question (General, Not IP Specific)
• From: ho@earth.hpc.org (Hilarie Orman)

---

• Prev by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
• Next by Date: RE: SA Attribute Negotiation
• Prev by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
• Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
• Index(es):
  • Main
  • Thread