[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Per-socket policy and ISAKMP

To: owner-ipsec@tis.com (Michael C. Richardson)
Subject: Re: Per-socket policy and ISAKMP
From: Mohan.Parthasarathy@Eng.Sun.Com (Mohan Parthasarathy)
Date: Fri, 23 Jan 1998 14:35:02 -0800 (PST)
Cc: ipsec@tis.com
In-Reply-To: <199801232042.PAA02089@istari.sandelman.ottawa.on.ca> from "Michael C. Richardson" at Jan 23, 98 03:42:20 pm
Sender: owner-ipsec@ex.tis.com

> 
>   Let's do the reverse: say the machine wants HMAC-SHA1 and the socket
> requests MD5. Well two things are possible: the system gives it MD5,
> violating it's own policy, or it takes the "most secure union" of the two. 
>   But, maybe the caller is root, and is allowed to override policy?
> 
Perhaps, there can be a tuneable - a ndd variable which can decide
whether global policy should override local policy or not. May be
the implementation might override depending on the strength 
(assume some definition of strength) of the per-socket policy
and global policy.

So, can this affect the application (in any way) which has asked a
specific policy and the system overrides with global policy ?

-mohan

References:

Re: Per-socket policy and ISAKMP

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: some issues about IPSec
Next by Date: Re: Per-socket policy and ISAKMP
Prev by thread: Re: Per-socket policy and ISAKMP
Next by thread: Re: Per-socket policy and ISAKMP
Index(es):
- Main
- Thread