Re: [anonsec] review comments on draft-ietf-btns-prob-and-applic-06.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 6:00 PM -0600 1/11/08, Nicolas Williams wrote:
...

Finally, multi-user systems may need to authenticate individual users to
other entities, in which case IPsec is inapplicable[*].  (I cannot find
a mention of this in the I-D, not after a quick skim.)

[*] At least to my reading of RFC4301, though I see no reason why a
    system couldn't negotiate narrow SAs, each with different local IDs
    and credentials, with other peers.  But that wouldn't help
    applications that multiplex messages for many users' onto one TCP
    connection (e.g., NFS), in which case even if my readinf of RFC4301
    is wrong IPsec is still not applicable for authentication.

IPsec has always allowed two peers to negotiate multiple SAs between them, e.g., on a per-TCP connection basis. Ipsec does support per-user authentication if protocol ID and port pairs can be used to distinguish the sessions for different users. So, if you want to restrict the cited motivation to applications that multiplex different users onto a single TCP/UDP session, that would be accurate.

Steve

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]