[anonsec] BYPASS OR PROTECT
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 5 08:46:49 PDT 2007
On Thu, Apr 05, 2007 at 07:18:07AM -0400, Stephen Kent wrote:
> At 10:47 AM -0500 4/4/07, Nicolas Williams wrote:
> >So the SPD extension, then, would be a rule type that declares an
> >insertion point for specific applications or local privileges.
>
> how would one define the insertion point in a way that doesn't get too
> complex?
You put that "inviolable" rules that you posited ahead of the insertion
point. All others go behind. For a simple system with two levels of
privilege (w.r.t. IPsec policy), privileged and unprivileged, you need
two insertion points: one at the head of the SPD-S for privileged apps
to request BYPASS in contravention to system poilicy, and one at the end
of the SPD-S for unprivileged apps to request PROTECT where system
policy would BYPASS. (Yes, I ignored DISCARD rules there.).
> >Since there's more than one way to represent this we need English-
> >language text and a canonical representation that implementors can
> >ignore, provided that they provide equivalent functionality.
>
> agreed.
>
> >Personally I prefer the insertion point approach since it does not
> >require modifying existing rules. Your notion of "inviolable" rules
> >maps into placing such rules ahead of any insertion points.
>
> I see what you mean, and I appreciate the generality, but I do worry
> about creating a sophisticated access control capability that will
> induce management errors.
Me too. But how can we ignore the "where" in the SPD to insert
API-driven rules? Do you believe that your "inviolable" flag would
allow us to ignore SPD order for such rules?
Nico
--
More information about the ANONSEC
mailing list