[anonsec] BYPASS OR PROTECT
Stephen Kent
kent at bbn.com
Wed Apr 4 09:06:22 PDT 2007
At 11:50 AM -0400 4/4/07, Dan McDonald wrote:
>On Wed, Apr 04, 2007 at 11:17:57AM -0400, Stephen Kent wrote:
>> >Second, IPsec-aware apps should not be able to create PROTECT IF
>> >POSSIBLE rules that punch holes in system policy that would PROTECT/
>> >DISCARD the apps' traffic unless the apps are sufficiently privileged.
>> >OTOH, IPsec-aware apps should be able to PROTECT or PROTECT IF POSSIBLE
>> >traffic that would otherwise be BYPASSED. (This is the rule implemented
>> >in Solaris, BTW.)
>>
>> Good points. I think this says we may need another SPD extension,
>> one that marks rules as ones that are inviolable, vs. ones that may
>> be overridden by a user/app as you described above.
>
>For example, OpenSolaris has "inviolable" as a global flag (which is disabled
>by default) for the entire SPD. The only exception to sockets overriding the
>SPD is for a socket that wishes to PASS - the process that wishes to PASS
>MUST be privileged AND the "inviolable" flag MUST be disabled.
>
>Having per-rule inviolability is a good idea, but we need to consider apps
>AND their privileges. For another example, I really want my IKE daemon to
>speak in the clear REGARDLESS of the contents of the SPD.
>
>Dan
Dan,
I think the WG has to discuss just what semantics we need for the
flag, but it's good to know that some implementations have analogous
capabilities now.
I'm pretty sure 4301 says that IKE messages cross the IPsec boundary
and that there need to be SPD entries to enable this, so your last
comment above is in conflict with that.
Steve
More information about the ANONSEC
mailing list