[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application layer cross checking

To: Michael Thomas <mat@cisco.com>
Subject: Re: application layer cross checking
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 03 May 2001 16:05:01 -0400
Cc: Derek Atkins <warlord@mit.edu>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <15089.46873.137893.423692@thomasm-u1.cisco.com>, Michael Thomas wri
tes:
>Derek Atkins writes:
> > Because applications may not be ipsec peers...  Or, in most cases,
> > ipsec will be host-based, not user-based?
>
>   What's the difference? Why shouldn't I be able to
>   tell the socket layer which identity I want it 
>   to use for a particular 5-tuple, and the receiving
>   end be able to verify that, including the application
>   layer being able to cross check? 
> 
>   If you can't do that, it sure seems like transport
>   mode is severely hamstrung. As in, why bother?

Absolutely -- I've been asking for such an API for several years.  

More specifically, at a minimum I want a way for an application to find 
out what security mechanisms are in effect for a given socket, and 
whatever is known about the peer(s).  It's up to the application to 
decide what permissions are associated with what identities, by 
whatever means it chooses.  In that sense, it doesn't matter if it's a 
"user" or a "host" -- the access control mechanisms need not 
distinguish unless they wish to.

		--Steve Bellovin, http://www.research.att.com/~smb

Prev by Date: RE: IPSec, dynamic IPv4 addresses and FreeBSD?
Next by Date: Re: application layer cross checking
Prev by thread: Re: application layer cross checking
Next by thread: Re: application layer cross checking
Index(es):
- Main
- Thread