[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions on the Security Arch. draft

To: svakil@usr.com
Subject: Re: Questions on the Security Arch. draft
From: Stephen Kent <kent@bbn.com>
Date: Thu, 13 Mar 1997 16:43:21 -0500
Cc: ipsec@tis.com
In-Reply-To: <32823C30.3000@usr.com>
Sender: owner-ipsec@ex.tis.com

Sumit,

	We are in the process of re-writing the architecture document and
will address this question in the revised version.  If one is using
security labels and these labels are implicitly bound to an SA, then it
might be appropriate for a gateway terminating a (tunnel mode) SA to
introduce such labels into the decapsulated IP header.  However, this could
backfire if this header were covered by transport mode AH!  So, we need to
be careful in describing under what circumstances this intermediate system
processing is appropriate.  I'm not sure that there is other authentication
data that ought to be addressed here, in a general fashion, and so we may
tighen this part of the spec to focus only on security labels, to the
extent appropriate.

	Ran, as the author of this version of the architecture document, is
there anything else you'd like to add to this reply?

Steve

References:

Questions on the Security Arch. draft

From: svakil@usr.com

Prev by Date: PKI Signature format in ISAKMP -- proposal
Next by Date: Re: Questions on the Security Arch. draft
Prev by thread: Questions on the Security Arch. draft
Next by thread: Re: Questions on the Security Arch. draft
Index(es):
- Main
- Thread