[anonsec] BYPASS OR PROTECT

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Apr 4 10:09:51 PDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Stephen" == Stephen Kent <kent at bbn.com> writes:
    Stephen> At 12:31 PM -0400 4/3/07, Michael Richardson wrote:
    >> Stephen Kent wrote:
    >>> The existing 4301 model describes BYPASS and PROTECT as mutually
    >>> exclusive descriptions. So, the new option, which might more
    >>> properly be named "PROTECT IF POSSIBLE" is a third option that
    >>> the user has to
    >> As this is used primarily on the responder, I suggest th wording
    >> be infact: "PROTECT IF REQUESTED"

    Stephen> Does the spec say that it is used ONLY by a responder? If
    Stephen> so, then your wording sounds better. If not, ...

  1) BTNS says nothing about how nodes know to do BTNS. We explicitely
     left out discovery.
     So, an initiator would have to some some PAD/SPD entry that told it
     to do something.
     
     If that thing was "PROTECT IF REQUESTED", and the application
     requested protection, then that wording would fit.

  2) I think that it does make most sense to have such entries on the
     responder. I expect to see more clear "PROTECT" entries on the
     "clients" (I use that label vs initiator, on purpose)

    >>> Of course we still have to make sure that there is no overlap
    >>> (in terms of address space or name space) between entries in the
    >>> SPD that are described as PROTECT and ones that are labeled as
    >>> "PROTECT IF POSSIBLE." The same is true for the PAD. These
    >>> constrains are
    >> This is a general problem in the PAD, and SPD with overlapping
    >> items. i.e. this problem already exists, and has been solved.

    Stephen> I'm not quite sure what you mean above. The ordering of the
    Stephen> PAD and SPD allows one to have overlapping entries, but
    Stephen> those were entries that all had the same precedence, and
    Stephen> which offer a binary choice. The notion of PROTECT IF
    Stephen> REQUESTED/POSSIBLE is a new concept with different
    Stephen> semantics and that's why I believe we have to be more
    Stephen> sophisticated in how we add this feature to the PAD and
    Stephen> SPD.

  Can you give me an example of an ordered PAD that would still be
ambiguous?
  Your word "precedence" is funny to me, since the entries don't have
the same precedence if they are ordered.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRhPb3oCLcPvd0N1lAQLnIQgAoREwgSeUNiOmcig3PTCVbc36m0fjim0O
0mF2hEl3oGYxXdEIxfHu/mbhaP1dTW6M07l/I6zIslD2FKBRZWC/pooWhpZS/xdf
jHFVj7KhmcZIDW3M4b+S7Gg5KSvg/P9NhpuT2Av8SyPIp6qzLzlPn+pzGnmsiSfG
Ox36yWMtn9RuBL9PKT8SyD3hD2XZlWJTTJubeIvintMMeLuT3TyUbhOlP/V6tu2G
dqLzoIr6T+724SBCSv5uYgWfeafO+KPAHCsS8riz/Kgv0TG+mSTN04L4DjmeaGUF
ZlBtAMBuYDp1ekw221ZVD5vQZmafexde1JvANnF1Kmm+xILNfNloow==
=gTKk
-----END PGP SIGNATURE-----

More information about the ANONSEC mailing list