[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
At 2:36 PM -0700 5/3/01, Michael Thomas wrote:
>Derek Atkins writes:
> > Because applications may not be ipsec peers... Or, in most cases,
> > ipsec will be host-based, not user-based?
>
> This seems like a rather single user PC based
> mentality. If we were running a multiuser timesharing
> system, being able to supply credentials on a per
> user basis would be rather necessary, no? Or
> perhaps I have a smart card which does the
> signatures which identifies me regardless of
> which machine I'm using, etc, etc. I don't see
> what prevents the SPD from having rules like
> "for 5-tuple [a,b,c,d,e], demand credentials in
> realm X" where those credentials might require
> a human to insert a piece of hardware, or type
> into a dialog box slapped up by the keying
> daemon, or whatever.
The SPD is a means of specifying access controls and security
services for traffic at layer 3. It would be inappropriate to do
what you suggest here.
Steve
Follow-Ups:
References: