[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP DOI Question (General, Not IP Specific)
> > On a single-user system, this isn't so bad, but on a multi-user box with
> > malicious users, this could cause all sorts of chosen-plaintext problems.
>
> It depends on your local policy. I've never quite understood why
> SPI's (as names standing for SA's) aren't under access control. If
> Alice creates it, why should Bob be allowed to use it?
That was my point. I believe we're in agreement. On a single user box,
there's only Alice. On a multi-user box, Bob shouldn't (modulo policy, of
course) be able to use any SA allocated for Alice.
Phew, I thought I'd flubbed up or something.
Dan
References: