[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTION: 5.3 SPD entries
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Theodore" == Theodore Ts'o <tytso@mit.edu> writes:
Theodore> Please discuss and answer the following question:
Theodore> 5.3 SPD entries
Theodore> 5.3.A) Is it important in SOI to allow the the responder to
Theodore> accept a subset
Theodore> of the proposed SA, or should it be an all or nothing acceptance?
yes. This is a major advantage to end-2-end systems such as Opportunistic Encryption.
But, for this to work, the initiator needs to provide the responder with an
indication of its intent - why is it negotiating at this time - I believe
that this is best done by including L3/L4 headers from the packet that caused
the negotiation to begin.
If there is no such packet (i.e. this is a preconfigured "up" tunnel) then
the responder needs to know that. The proposed policy will likely have to
match (this is a local matter).
Theodore> 5.3.B) Should the SOI offer multiple selectors with specific ports and
Theodore> addresses, or a single selector with a range of ports and range of
Theodore> addresses? (complicated boolean complexity!)
We *do* need the boolean complexity.
There should be only a single way to express selectors - ranges being the
most general, even if most implementations will only permit strict netmasks
for addresses.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBPS8+aYqHRg3pndX9AQH5FQP/QLKK+GbzTESt0d5eRtZ0vjEa1gAHUnvN
ppQgNAjz/Twr/KgGb4eYjxOzAesre3eHBB6cjmqz9O9EEtwrmaNwcT7A+orlWYlp
jP39Y2IqHVLQ9MWNjcYZkagioNbbf4X/nKkv7PBxXundz4G7ntKs+oxYgABwLjC4
GBS3KQAQRUs=
=lioa
-----END PGP SIGNATURE-----