Re: application APIs

[Stephen Kent <kent@bbn.com>]

At 1:31 PM -0500 12/22/02, Michael Richardson wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>>>>>>  "Stephen" == Stephen Kent <kent@bbn.com> writes:
>     Stephen> An important feature of IPsec is that an administrator can impose
>     Stephen> security controls on traffic without having to rely on individual
>     Stephen> applications to be able to make these choices, and 
>without having to
>
>...
>
>     Stephen> For example, I assume that even if we have an API that 
>apps can use
>     Stephen> to specify controls, that you would want some defaults 
>and one way of
>     Stephen> configuring the defaults is via an administrator interface. Would
>     Stephen> that satisfy your goals?
>
>   Stephen, if you go see the original NRL API (which KAME is mostly a clone
>of), it pretty much has everything you want:
>     1) admin can force things to be clear, or to be private.
>     2) applications can request services within the parameters given
>     3) some applications (priveledged ones) can override, particularly, IKE
>     daemons can get port 500 stuff out.
>
>   But, the NRL API wasn't perfect, and left lots of things to be desired.
>

I don't disagree with your observations, but I also am more concerned 
about putting the MUSTs into IKEv2 to make sure we have the requisite 
management capabilities, irrespective of whether folks use an API or 
not. It seems unlikely that we make provision of a specific API a 
MUST at this point.

Steve