[anonsec] [MULTIMOBSEC-API] Re: first steps in APIs
Nicolas Williams
Nicolas.Williams at sun.com
Tue Apr 25 08:22:35 PDT 2006
On Tue, Apr 25, 2006 at 10:00:51AM +0300, Miika Komu wrote:
> I think there is some overlap even between shim6 and btns, but the overlap
> is somewhat marginal. Consider these examples:
>
> * You could request current IPsec security parameters from shim6 module
> and it would tell you that there is none
> * To set-up BTNS IPsec policies and associations, you also need locators
<clarification>
Er, let's be careful and avoid confusion on the BTNS list about this:
- BTNS is, at its core, about NOT authenticating peers
- BTNS allows for anonymity and pseudonymity
- (BTNS pseudonymity &&
(application-driven enrolment ||
application-driven leap-of-faith)) == ad-hoc IPsec authentication
- Some BTNS applications (channel bindings) don't care for
pseudonymity, and, therefore, don't care for ad-hoc IPsec
authentication.
So, BTNS can be said to have locators, but it isn't strictly the case
that it does have locators -- "BTNS locators" are an application
construct, not a fundamental BTNS construct.
</clarification>
> However, there is no reason why these APIs couldn't be decoupled.
Yes, but I think there's a point where they may meet: at the API for
obtaining the end-point IDs of a latched connection, and, therefore, the
representation of these IDs (IKEv2-style representation, + BTNS
publickey ID type, + HITs).
Nico
--
More information about the ANONSEC
mailing list