application APIs

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
    Stephen> An important feature of IPsec is that an administrator can impose 
    Stephen> security controls on traffic without having to rely on individual 
    Stephen> applications to be able to make these choices, and without having to 

...

    Stephen> For example, I assume that even if we have an API that apps can use 
    Stephen> to specify controls, that you would want some defaults and one way of 
    Stephen> configuring the defaults is via an administrator interface. Would 
    Stephen> that satisfy your goals?

  Stephen, if you go see the original NRL API (which KAME is mostly a clone
of), it pretty much has everything you want:
    1) admin can force things to be clear, or to be private.
    2) applications can request services within the parameters given
    3) some applications (priveledged ones) can override, particularly, IKE
    daemons can get port 500 stuff out.

  But, the NRL API wasn't perfect, and left lots of things to be desired.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPgYE9YqHRg3pndX9AQFCnAQAqjnB9F0gmWGlB5TPT/s9DSY/jS1NBrqo
dUeRqcsW8zshsh0Lgiiedc+8wh6t5QgxHOF9LtHaFbWE5VIwTL8IeuGkwAPpssut
6efS/hxqI3+BK2Okg75tcYaVKIfUq4X3ISkV8ZIrtlGVzA73VP3A74MkMIuB+u8a
2afZc6+faQg=
=KW7a
-----END PGP SIGNATURE-----