Re: application layer cross checking

[Stephen Kent <kent@bbn.com>]

At 2:36 PM -0700 5/3/01, Michael Thomas wrote:
>Derek Atkins writes:
>  > Because applications may not be ipsec peers...  Or, in most cases,
>  > ipsec will be host-based, not user-based?
>
>    This seems like a rather single user PC based
>    mentality. If we were running a multiuser timesharing
>    system, being able to supply credentials on a per
>    user basis would be rather necessary, no? Or
>    perhaps I have a smart card which does the
>    signatures which identifies me regardless of
>    which machine I'm using, etc, etc. I don't see
>    what prevents the SPD from having rules like
>    "for 5-tuple [a,b,c,d,e], demand credentials in
>     realm X" where those credentials might require
>    a human to insert a piece of hardware, or type
>    into a dialog box slapped up by the keying
>    daemon, or whatever.

The SPD is a means of specifying access controls and security 
services for traffic at layer 3. It would be  inappropriate to do 
what you suggest here.

Steve

---

Follow-Ups:

• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>

References:

• application layer cross checking
• From: Michael Thomas <mat@cisco.com>
• Re: application layer cross checking
• From: Derek Atkins <warlord@mit.edu>
• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>
• Re: application layer cross checking
• From: Derek Atkins <warlord@mit.edu>
• Re: application layer cross checking
• From: Michael Thomas <mat@cisco.com>

---

• Prev by Date: Re: application layer cross checking
• Next by Date: Re: application layer cross checking
• Prev by thread: Re: application layer cross checking
• Next by thread: Re: application layer cross checking
• Index(es):
  • Main
  • Thread