[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: users and connections
Steve, I cannot find a copy of ISO 7498-2 anywhere in the RFCs.
Therefore, I don't have any idea what you are talking about. ISO 7498-2
is meaningless in the Internet context, and is not cited by our RFC.
The term "connection" in the Internet has long (more than a decade,
maybe even 2 decades) refered to a pair of ports, usually TCP ports.
The term "connection" is the same used in Bellovin's paper that is cited.
The text in RFC-1829 is about the need for integrity when combined with
some other service. In that much we agree. Indeed, TCP is explicitly
It has been privately suggested that to avoid confusion, the word
"session" could be substituted for "connection". Has some obscure
ISO document mandated "session" for some other purpose as well?
> From: Stephen Kent <email@example.com>
> The term "connection-oriented integrity" is not really appropriate
> in the IPSEC environment, even when the anti-replay option is enabled. The
> fact that we may provide keying at a per-connection or per-user granularity
> does not, in itself, represent connection-oriented integrity. What we
> provide is data origin authentication and connectionless integrity, and
> anti-replay provides what might be termed "partial" sequence integrity.
> However, we don't treat out of order arrival to be an error, unless it
> represents a (real or potential) replay, so what we provide in IPSEC is not
> connection-oriented integrity (as per ISO 7498-2). However, if we have TCP
> operating above IPSEC, and we are employing integrity (with or without
> anti-replay) then we are supporting connection-oriented integrity provided
> by TCP, even though IPSEC is not providing this service per se.
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2