[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and RTP crypto
It's an application layer issue.
Hilarie
>>> "Steven M. Bellovin" <smb@research.att.com> 04/11/01 07:11PM >>>
In message <sacb25d4.084@prv-mail20.provo.novell.com>, "Hilarie Orman" writes:
>Long ago we implemented this selective use of IPsec by
>permitting connections to mix protected and unprotected
>traffic. The send and receive interfaces made the level
>of protection obvious; the application layer could decide
>whether or not to accept data for each received chunk
>(all the bytes in a chunk had the same protections). This
>allowed password protection, in particular. It didn't seem
>(at the time), that IPsec was an impediment to this usage.
>
How can you do that? It sounds like it would take some very strange
layering, since in most stacks TCP ACKs are sent when the data is
received, not when it's passed to the application -- and that, in turn,
means that the sending host may have discarded some data before it
knows if it needs to be sent with a different security level.
--Steve Bellovin, http://www.research.att.com/~smb