[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
D. Hugh Redelmeier writes:
[...]
> Section 4.4.1, paragraph 3, sentence 2 states:
>
> This interface must allow the user (or system administrator) to
> specify the security processing to be applied to each packet
> entering or exiting the system, on a packet by packet basis.
>
> I don't think that the user/sysadmin would be willing to specify
> security processing on a packet by packet basis. What exactly is
> intended by this sentence?
I can't and won't speak to the question of what was intended.
My interpretation is along these lines:
The interface must allow the specification of a set of security-related
processing rules. These processing rules are applied to each packet
crossing the system boundary. It must be possible to specify
processing rules that have the granularity of a single packet -- rules
that potentially indicate distinct actions to be taken when those rules
are applied to distinct packets.
IMHO the text in the draft is clear.
[...]
> Section 5.1.2, first point:
>
> o The outer IP header Source Address and Destination Address
> identify the "endpoints" of the tunnel (the encapsulator and
> decapsulator). The inner IP header Source Address and
> Destination Addresses identify the original sender and recipient
> of the datagram, respectively.
>
> The word "original" is a little tricky. We might be dealing with
> tunneling in tunneling.
So we have something ever so vaguely resembling, for example:
[IP_3 [ESP_2 [IP_2 [ESP_1 [IP_1 [TCP ....]]]]]]
W.r.t. the outer tunnel "ESP_2", the inner IP header is "IP_2"
and the datagram is [IP_2 [ESP_1 [IP_1 [TCP ....]]]]. The Source and
Dest Addr of "IP_2" identify the original sender and receiver,
respectively, of that datagram beginning with IP header "IP_2". They
just happen to be the encapsulator (resp. decapsulator) of the inner
tunnel "ESP_1".
I don't see an ambiguity.
[...]
> In Acknowledgements there is a comma preceded by a space.
[...]
LOL ;->
-Lewis <pseudonym@acm.org> <http://www.cs.umass.edu/~lmccarth>
References: