[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG next steps
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tony" == Tony Li <Tony.Li@procket.com> writes:
Tony> Not necessarily. If the network layer provided the transport with
Tony> an opaque handle for each path, then the transport layer wouldn't
Tony> have to touch locators at all. The network layer would still
Tony> need to inform the transport layer of path changes, but again, this
Tony> could be done via the handle.
If you do IPsec between every set of end-points, then you can easily insert
the appropriate End-point-identifiers for the transport layer. Bellovin has
pointed out that once you've authenticated the packet via IPsec, you just
don't care what's in the IP header. (This is often an argument why against
AH.)
You don't really have to do this at all - you just hang all the PCB info on
the incoming IPsec SPD entry, but this is an implementation short-cut.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPdSEHYqHRg3pndX9AQG/ewQAzmAeJ6bG3PPMJepDFXFYC4uB++fZEI7y
PboajmHCyg9SsFWhSPSWtLosiLfcsRbd5j6ju1pboj8Q4Y/YEmzQROGVeCzAAKFd
yNv8/V4h8/I6pM265ZQc8PHEBK8b7yLOf1TElPSVLwXXUy6WCrGMCT+CfoXiXEjk
p542jy/HVeI=
=vslP
-----END PGP SIGNATURE-----