[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-arch-sec-02.txt

To: "D. Hugh Redelmeier" <hugh@mimosa.com>
Subject: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Tue, 24 Feb 1998 03:14:06 -0500
CC: IP Security List <ipsec@tis.com>
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
References: <199802240331.WAA11793@mimosa.com>
Sender: owner-ipsec@ex.tis.com

D. Hugh Redelmeier writes:
[...]
> Section 4.4.1, paragraph 3, sentence 2 states:
> 
>    This interface must allow the user (or system administrator) to
>    specify the security processing to be applied to each packet 
>    entering or exiting the system, on a packet by packet basis.
> 
> I don't think that the user/sysadmin would be willing to specify
> security processing on a packet by packet basis.  What exactly is
> intended by this sentence?

I can't and won't speak to the question of what was intended. 

My interpretation is along these lines:
The interface must allow the specification of a set of security-related 
processing rules. These processing rules are applied to each packet 
crossing the system boundary. It must be possible to specify 
processing rules that have the granularity of a single packet -- rules 
that potentially indicate distinct actions to be taken when those rules 
are applied to distinct packets. 

IMHO the text in the draft is clear.

[...]
> Section 5.1.2, first point:
> 
>          o The outer IP header Source Address and Destination Address
>            identify the "endpoints" of the tunnel (the encapsulator and
>            decapsulator).  The inner IP header Source Address and
>            Destination Addresses identify the original sender and recipient
>            of the datagram, respectively.
> 
> The word "original" is a little tricky.  We might be dealing with
> tunneling in tunneling.

So we have something ever so vaguely resembling, for example:

[IP_3 [ESP_2 [IP_2 [ESP_1 [IP_1 [TCP ....]]]]]]

W.r.t. the outer tunnel "ESP_2", the inner IP header is "IP_2"
and the datagram is [IP_2 [ESP_1 [IP_1 [TCP ....]]]]. The Source and
Dest Addr of "IP_2" identify the original sender and receiver, 
respectively, of that datagram beginning with IP header "IP_2". They
just happen to be the encapsulator (resp. decapsulator) of the inner
tunnel "ESP_1".

I don't see an ambiguity.

[...]
> In Acknowledgements there is a comma preceded by a space.
[...]

LOL ;->

-Lewis  <pseudonym@acm.org>  <http://www.cs.umass.edu/~lmccarth>

References:

Comments on draft-ietf-ipsec-arch-sec-02.txt

From: hugh@mimosa.com ("D. Hugh Redelmeier")

Prev by Date: RE: new draft-ietf-ipsec-isakmp?
Next by Date: RE: Certificate Requesting
Prev by thread: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
Next by thread: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
Index(es):
- Main
- Thread