[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

To: ipsec@tis.com
Subject: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 20 Nov 1997 10:21:09 +0200
In-reply-to: Your message of "Thu, 20 Nov 1997 01:22:13 EST." <Chameleon.879989069.rja@c8-a.snvl1.sfba.home.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ran" == Ran Atkinson <rja@inet.org> writes:
    Ran>   THe document does not say which part of your implementation
    Ran> would do the discarding, just that it happens.  I think
    Ran> you're reading the document too literally.

  But, if I'm supposed to use my judgement and put interpretation on
the document, why have so much detail in the document? Either the
document is prescriptive or not. 
  I reread some portions with the word "discard" in them last night:

   For every IPsec implementation, there MUST be an administrative
   interface that allows a user or system administrator to manage the
   SPD.  This interface must allow the user (or system administrator) to
   specify the security processing to be applied to each packet entering
   or exiting the system, on a packet by packet basis. (In a host IPsec
   implementation making use of a socket interface, the SPD may not need
   to be consulted on a per packet basis, but the effect is still the
   same.)  The management interface for the SPD MUST allow creation of
   entries consistent with the selectors defined in Section 4.4.2, and
   MUST support ordering of these entries.

  If I take this prescriptively, then I must have a knob that let's me
discard packets that meet any pattern based on the 'selectors' --- I
can not have just a GUI that let's me draw coloured lines between
nodes on the two internal networks to allow me to define the
VPNs.
  Implicitely, I am saying "discard everything else" --- if I read the
above paragraph literally, then I must offer the administrator the
ability to discard any packet based on source, destination, protocol,
or port. 
  If I'm not supposed to read that paragraph literally, then why have
it there? 

  Finally, the requirement to put ordering on the "entries" in the
"database" is a VERY NEW requirement. Why was it not brought up months
and months ago? Many of us have done things like that, but we define
things our own way, and we do not necessarily give the administrator
the right to determine the order.

    Ran>   On a more pragmatic note, if you don't include the discard
    Ran> feature in your implementation, I believe that you will sell

  Fine, but let me make the decision, okay?

]       ON HUMILITY: to err is human. To moo, bovine.           |  SSH IPsec  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNHPy8MmxxiPyUBAxAQEeLwMAipdt4ERDUzTt6x3m4VXdmxSPuaRcSknQ
bRMVu+1OO+HWxgn2w7DrDu9ixLI9758gCAT5XNOHpdo5TXGWmuew5fzAh4KNUVot
AZ0W2gc3MBnyOjx486eAr5j+V3lCRbI+
=r6mY
-----END PGP SIGNATURE-----

Follow-Ups:

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

From: Stephen Kent <kent@bbn.com>

References:

Re: draft-ietf-ipsec-arch-sec-02.txt and last call

From: Ran Atkinson <rja@inet.org>

Prev by Date: Re: DH Group strengths [math]
Next by Date: Re: DH Group strengths [math]
Prev by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
Next by thread: Re: draft-ietf-ipsec-arch-sec-02.txt and last call
Index(es):
- Main
- Thread