[anonsec] BYPASS OR PROTECT
Stephen Kent
kent at bbn.com
Mon Apr 2 11:43:45 PDT 2007
Nico,
The existing 4301 model describes BYPASS and PROTECT as mutually
exclusive descriptions. So, the new option, which might more properly
be named "PROTECT IF POSSIBLE" is a third option that the user has to
see as a distinct choice. So long as we represent this as a new
option (which I think may be better reinforced by the name I
suggested above), I don't think it undermines the 4301 model.
Of course we still have to make sure that there is no overlap (in
terms of address space or name space) between entries in the SPD
that are described as PROTECT and ones that are labeled as "PROTECT
IF POSSIBLE." The same is true for the PAD. These constrains are
needed to satisfy the "don't undermine the existing 4301 access
control model" criteria we discussed in Prague.
Steve
More information about the ANONSEC
mailing list