[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: application APIs

To: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: application APIs
From: Stephen Kent <kent@xxxxxxx>
Date: Mon, 23 Dec 2002 12:37:09 -0500
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 1:31 PM -0500 12/22/02, Michael Richardson wrote:

-----BEGIN PGP SIGNED MESSAGE-----

"Stephen" == Stephen Kent <kent@xxxxxxx> writes:
Stephen> An important feature of IPsec is that an administrator can impose Stephen> security controls on traffic without having to rely on individual Stephen> applications to be able to make these choices, and without having to

...

Stephen> For example, I assume that even if we have an API that apps can use Stephen> to specify controls, that you would want some defaults and one way of Stephen> configuring the defaults is via an administrator interface. Would Stephen> that satisfy your goals?
  Stephen, if you go see the original NRL API (which KAME is mostly a clone
of), it pretty much has everything you want:
    1) admin can force things to be clear, or to be private.
    2) applications can request services within the parameters given
    3) some applications (priveledged ones) can override, particularly, IKE
    daemons can get port 500 stuff out.
But, the NRL API wasn't perfect, and left lots of things to be desired.

I don't disagree with your observations, but I also am more concerned about putting the MUSTs into IKEv2 to make sure we have the requisite management capabilities, irrespective of whether folks use an API or not. It seems unlikely that we make provision of a specific API a MUST at this point.

Steve

References:
- application APIs
  - From: Michael Richardson

Prev by Date: Re: Secure legacy authentication for IKEv2
Next by Date: Proposed text changes to ESPbis and AHbis for multicast support
Previous by thread: application APIs
Next by thread: Re: speaking of keys
Index(es):
- Date
- Thread