[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs and SPIs

To: Ran Atkinson <rja@inet.org>
Subject: Re: SAs and SPIs
From: John Horton <jehorton@erols.com>
Date: Tue, 19 Aug 1997 09:11:18 -0400
CC: ipsec@tis.com
References: <2.2.32.19970818151654.00684130@pop.erols.com> <Chameleon.871950405.rja@c8-a.snvl1.sfba.home.com>
Reply-To: jehorton@erols.com
Sender: owner-ipsec@ex.tis.com

Ran Atkinson wrote:
<deleted to save space>
> > Let us suppose Amgen wants to use IPSEC to control and
> > protect its transmitted and received messages. Within Amgen are a number of
> > projects and the results and data associated with each project need to be
> > protected from outside competitors. Also Amgen employees working on one
> > project only in selected cases are allowed to receive results from other
> > projects.  There are managers at several levels who have access to varying
> > parts of the developments.  There is also a personnel dept., a medical
> > dept., and a payroll-financial dept.  In addition, Amgen has research
> > arrangements with five other biotech firms which work on several of the
> > projects and there is some communication possible between several of them as
> > well as with the relevant Amgen projects.
> 
> The above describes a security policy at a high level.  The IETF IPsec specs
> are designed to support a wide variety of different kinds of policy, but the
> IETF does not mandate any particular security policy.
> 
> >         Now, how are the SPI-SA combinations set up to handle this traffic
> > and how are they (dynamically) controlled?
<deleted to save space>

I hesitate to jump in here, but here goes.  We have what appears to me
to be those that talk about implementing security policy, and those that
are looking for a description of how the use of IPSEC compliant products
will support an implementation in a scenario as described above.  

The way I read Mr. Bartee's message is that he is looking to ascertain
if there is a design and implementation mechanism within the IPSEC RFCs
that will provide a feature in products to give security personnel and
system administrators the capability to establish "security domains" ( I
can feel the backlash from the use of the word domain ;-) )  within an
organization that prevents the establishment of SPI-SA combinations and
secure data communications between designated groups/departments.

If I have missed the mark, my apologies for cluttering up the mailbox of
the group.

Regards,
John Horton

References:

SAs and SPIs

From: Thomas Bartee <tbartee@pop.erols.com>

Re: SAs and SPIs

From: Ran Atkinson <rja@inet.org>

Prev by Date: replay revisited
Next by Date: Re: IPSEC and NAT
Prev by thread: Re: SAs and SPIs
Next by thread: Re: SAs and SPIs
Index(es):
- Main
- Thread