[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: Steve.Robinson@psti.com
Subject: Re: Simplifying IKE
From: Dan McDonald <danmcd@East.Sun.COM>
Date: Thu, 16 Aug 2001 15:40:35 -0400 (EDT)
CC: ipsec@lists.tislabs.com
In-Reply-To: <OFF3B37AA0.8077B795-ON80256AAA.00674182@psti.com> from "Steve.Robinson@psti.com"at "Aug 16, 2001 02:51:43 pm"
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
Sender: owner-ipsec@lists.tislabs.com

> So, you wouldn't consider PF_KEY to be a standard API for use with IPsec?
> I don't like it much personally, as it isn't as flexible as RFC 2401 would
> allow an API to be, but still, it is there....

Bill already mentioned that PF_KEY is not the sort of policy API that people
have been talking about.

What people would like (I suspect) is something like my old "Simple IPsec
Socket API" or Craig Metz's later work that also includes QoS type features.

Basically, what I suspect people want would be a way to take a socket, and
say "Use IPsec for traffic on this socket," or ask "Does this socket secure
its traffic, and if so, how?"

To implement something even close to this requires a fully integrated IPsec
implementation.  Examples I know of even simple IPsec socket options are in
the NRL code, Solaris 8 and beyond ("man ipsec" for docs), and the KAME code.
There may be others as well that I'm not aware of, and I'd like to hear about
them.

Dan

References:

RE: Simplifying IKE

From: Steve.Robinson@psti.com

Prev by Date: Re: Simplifying IKE
Next by Date: Re: [Design] Re: Wes Hardaker: opportunistic encryption deployment problems
Prev by thread: Re: Simplifying IKE
Next by thread: Re: [Design] Re: opportunistic encryption deployment problems
Index(es):
- Main
- Thread