[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: need of information on a selector field

To: SALLE Mathias <matsal@hplb.hpl.hp.com>
Subject: Re: need of information on a selector field
From: Charles Lynn <clynn@bbn.com>
Date: Fri, 20 Nov 98 11:42:25 EST
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Mathias,

> reference: draft-ietf-ipsec-arch-sec-07.txt
> paragraph: 4.4.2 selector
> problem:
> I don't really understand the use of the Name field of a selector. What
> is it for?

This selector is used to express policies that are specific to a given
"user" or "system", on hosts that support those concepts.

> How this field is extracted from a IP packet in order to match an
> entry in the SPD?

The names are not typically passed in the IP packets that form the
user communications.  The names are associated with the system or with
logged in users or applications they are running, by the operating
system, and are available to the IPSec implementation when the user
sends or receives traffic.  One example would be to associate a name
with a "socket", maybe via a process control structure, and that
information would be available to IPSec.  In the incoming direction,
the host would check that traffic arriving on the SA was destined for
(one of) the socket(s) associated with the name.

Charlie

Prev by Date: Security Policy System Draft and Reference Implementation
Next by Date: Work around using SPKI certificates instead of X509
Prev by thread: Re: need of information on a selector field
Next by thread: IPv6 in the IPSec MIB
Index(es):
- Main
- Thread