[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs and SPIs

To: tbartee@pop.erols.com
Subject: Re: SAs and SPIs
From: John Shriver <jas@shiva.com>
Date: Mon, 18 Aug 1997 13:59:09 -0400
CC: ipsec@tis.com
In-reply-to: <2.2.32.19970818151654.00684130@pop.erols.com> (message fromThomas Bartee on Mon, 18 Aug 1997 11:16:54 -0400)
Sender: owner-ipsec@ex.tis.com

What you are asking about is NOT what IPSec is about.

You are asking about multi-level security.  That's about labeling
everything with a security level.  It's about distrust between the
members of the same organization.  See the National Computer Security
Center "Orange Book".  Of see section 25.2 of Schneier's "Applied
Cryptography", which gives an introduction.  Also, see the RFC's on
the IP Security Option.

IPsec is primarily about protection from external predators.  Not from
internal ones.

Certainly, anyone paranoid to the Orange Book level would have unique
SA's for every transport connection.  But, they need to be on C2 or B2
secure systems before IPsec will add any security.

(This is not to say that there's isn't plenty of handwaving around the
"security policy negotiation" that is envisioned in ISAKMP/Oakley.

References:

SAs and SPIs

From: Thomas Bartee <tbartee@pop.erols.com>

Prev by Date: SAs and SPIs
Next by Date: Re: SAs and SPIs
Prev by thread: SAs and SPIs
Next by thread: Re: SAs and SPIs
Index(es):
- Main
- Thread