[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SAs and SPIs
Ran Atkinson wrote:
<deleted to save space>
> > Let us suppose Amgen wants to use IPSEC to control and
> > protect its transmitted and received messages. Within Amgen are a number of
> > projects and the results and data associated with each project need to be
> > protected from outside competitors. Also Amgen employees working on one
> > project only in selected cases are allowed to receive results from other
> > projects. There are managers at several levels who have access to varying
> > parts of the developments. There is also a personnel dept., a medical
> > dept., and a payroll-financial dept. In addition, Amgen has research
> > arrangements with five other biotech firms which work on several of the
> > projects and there is some communication possible between several of them as
> > well as with the relevant Amgen projects.
>
> The above describes a security policy at a high level. The IETF IPsec specs
> are designed to support a wide variety of different kinds of policy, but the
> IETF does not mandate any particular security policy.
>
> > Now, how are the SPI-SA combinations set up to handle this traffic
> > and how are they (dynamically) controlled?
<deleted to save space>
I hesitate to jump in here, but here goes. We have what appears to me
to be those that talk about implementing security policy, and those that
are looking for a description of how the use of IPSEC compliant products
will support an implementation in a scenario as described above.
The way I read Mr. Bartee's message is that he is looking to ascertain
if there is a design and implementation mechanism within the IPSEC RFCs
that will provide a feature in products to give security personnel and
system administrators the capability to establish "security domains" ( I
can feel the backlash from the use of the word domain ;-) ) within an
organization that prevents the establishment of SPI-SA combinations and
secure data communications between designated groups/departments.
If I have missed the mark, my apologies for cluttering up the mailbox of
the group.
Regards,
John Horton
References: