[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SAs and SPIs

To: John Shriver <jas@shiva.com>
Subject: Re: SAs and SPIs
From: Stephen Kent <kent@bbn.com>
Date: Tue, 19 Aug 1997 17:52:35 -0400
Cc: ipsec@tis.com
In-Reply-To: <199708191708.NAA03798@brill.shiva.com>
References: <9708191451.AA03374@katahdin.columbia.sparta.com>(hsw@columbia.sparta.com)
Sender: owner-ipsec@ex.tis.com

John,

	There is a blank section of the architecture document that
addresses the MLS issue, more generically described as information flow
security models.  It is possible to make use of IPsec to support such
models, but we are probably going to defer the details to another document,
to facilitate faster completion of the current document.  However, the
general approach would be roughly as follows:

	- include security authorization info in certificates, so that the
authorized processing ranges for each user/host/net is available.  this can
include hierarchic and non-hierarchic authorizations.

	- expand the SPD to include references to the sensitivity labels
associated with the users/hosts/nets, as a means of expressing data flow
access controls

	-  use the authorization info from the certificates as an input to
the SA management procedure, along with the SPD, to establish sensitivity
ranges for each SA

	- hosts authorized to process data at multiple levels
(compartments, etc.) can use separate SAs for different levels, with
implicit labelling for each SA.

Steve

References:

Re: SAs and SPIs

From: hsw@columbia.sparta.com (Howard Weiss)

Re: SAs and SPIs

From: John Shriver <jas@shiva.com>

Prev by Date: Re: IPSEC and NAT
Next by Date: Re: IPSEC and NAT
Prev by thread: Re: SAs and SPIs
Next by thread: Re: SAs and SPIs
Index(es):
- Main
- Thread