[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISAKMP DOI Question (General, Not IP Specific)

To: ho@earth.hpc.org (Hilarie Orman)
Subject: Re: ISAKMP DOI Question (General, Not IP Specific)
From: dan.mcdonald@eng.sun.com (Dan McDonald)
Date: Thu, 19 Dec 1996 09:48:22 -0800 (PST)
Cc: dan.mcdonald@eng.sun.com, spatsch@cs.arizona.edu, ipsec@tis.com, weaver@hydra.dra.hmg.gb
In-Reply-To: <199612191714.MAA01212@earth.hpc.org> from "Hilarie Orman" at Dec 19, 96 12:14:48 pm
Sender: owner-ipsec@ex.tis.com

> >  On a single-user system, this isn't so bad, but on a multi-user box with
> >  malicious users, this could cause all sorts of chosen-plaintext problems.
> 
> It depends on your local policy.  I've never quite understood why
> SPI's (as names standing for SA's) aren't under access control.  If
> Alice creates it, why should Bob be allowed to use it?

That was my point.  I believe we're in agreement.  On a single user box,
there's only Alice.  On a multi-user box, Bob shouldn't (modulo policy, of
course) be able to use any SA allocated for Alice.

Phew, I thought I'd flubbed up or something.

Dan

References:

Re: ISAKMP DOI Question (General, Not IP Specific)

From: ho@earth.hpc.org (Hilarie Orman)

Prev by Date: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by Date: Q re draft-ietf-ipsec-isakmp-06.txt
Prev by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Next by thread: Re: ISAKMP DOI Question (General, Not IP Specific)
Index(es):
- Main
- Thread