[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: users and connections

To: William Allen Simpson <wsimpson@greendragon.com>
Subject: Re: users and connections
From: Stephen Kent <kent@bbn.com>
Date: Tue, 10 Jun 1997 14:44:22 -0400
Cc: ipsec@tis.com
In-Reply-To: <6004.wsimpson@greendragon.com>
Sender: owner-ipsec@ex.tis.com

Bill,

	The term "connection-oriented integrity" is not really appropriate
in the IPSEC environment, even when the anti-replay option is enabled.  The
fact that we may provide keying at a per-connection or per-user granularity
does not, in itself, represent connection-oriented integrity. What we
provide is data origin authentication and connectionless integrity, and
anti-replay provides what might be termed "partial" sequence integrity.
However, we don't treat out of order arrival to be an error, unless it
represents a (real or potential) replay, so what we provide in IPSEC is not
connection-oriented integrity (as per ISO 7498-2).  However, if we have TCP
operating above IPSEC, and we are employing integrity (with or without
anti-replay) then we are supporting connection-oriented integrity provided
by TCP, even though IPSEC is not providing this service per se.

Steve

Follow-Ups:

Re: users and connections

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

References:

users and connections

From: "William Allen Simpson" <wsimpson@greendragon.com>

Prev by Date: Re: padding questions
Next by Date: Re: users and connections
Prev by thread: Re: users and connections
Next by thread: Re: users and connections
Index(es):
- Main
- Thread