Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt

Nicolas Williams <Nicolas.Williams@sun.com> Wed, 09 April 2008 16:16 UTC

Return-Path: <anonsec-bounces@postel.org>
X-Original-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Delivered-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9501F28C4D0 for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Wed, 9 Apr 2008 09:16:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[AWL=-0.147, BAYES_00=-2.599, J_CHICKENPOX_37=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwrebiG3PShM for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Wed, 9 Apr 2008 09:16:41 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 6852C3A6DB8 for <btns-archive-waDah9Oh@lists.ietf.org>; Wed, 9 Apr 2008 09:16:17 -0700 (PDT)
Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m39FoTKG017478; Wed, 9 Apr 2008 08:50:29 -0700 (PDT)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m39Fo69Q017364 for <anonsec@postel.org>; Wed, 9 Apr 2008 08:50:07 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m39Fo5Fa014859 for <anonsec@postel.org>; Wed, 9 Apr 2008 15:50:06 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m39Fo5Rp060979 for <anonsec@postel.org>; Wed, 9 Apr 2008 09:50:05 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m39Fo5BZ006739; Wed, 9 Apr 2008 10:50:05 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m39Fo58p006738; Wed, 9 Apr 2008 10:50:05 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 9 Apr 2008 10:50:05 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Daniel Migault <daniel.migault@orange-ftgroup.com>
Message-ID: <20080409155004.GB16998@Sun.COM>
Mail-Followup-To: Daniel Migault <daniel.migault@orange-ftgroup.com>, Daniel Migault <mglt.biz@gmail.com>, anonsec@postel.org
References: <20080225093002.01ABB3A6CB2@core3.amsl.com> <c17ec2f80803132253k6442ec40m99be1872704f5c5a@mail.gmail.com> <20080407180003.GB16998@Sun.COM> <20080407193811.GK16998@Sun.COM> <47FCD90D.1000007@orange-ftgroup.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <47FCD90D.1000007@orange-ftgroup.com>
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Cc: anonsec@postel.org
Subject: Re: [anonsec] I-D Action:draft-ietf-btns-connection-latching-06.txt
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org

On Wed, Apr 09, 2008 at 04:56:13PM +0200, Daniel Migault wrote:
> Your figure is probably clearer than mine, and it is better to separate 
> the esp/ah layer from the key management layer.
> The logical SPD is the combination of decorrelated SPD and ULP-driven 
> SPD.  The figure mentions interaction between IKEv2 and the Logical SPD, 
> but I don't see interaction between UPL and the logical SPD. Maybe one 
> could add one arrow between ULP and the logical SPD.

Yes, I need to fix that.  It needs to be more like this:
   +--------------------------------------------+
   |                       +--------------+     |
   |                       |Administrator |     |
   |                       |apps          |     |
   |                       +--------------+     |
   |                            ^      ^        |
   |                            |      |        | user mode
   |                            v      v        |
   | +--------------+      +-------++--------+  |
   | |App           |      |IKEv2  ||        |  |
   | |              |      | +---+ || +----+ |  |
   | |              |      | |PAD| || |SPD | |  |
   | |              |      | +---+ || +--^-+ |  |
   | +--------------+      +-+-----++----+---+  |
   |   ^                     |           |      |
   +---|---------------------|-----------|------+  user/kernel mode
   |   |syscalls             |  PF_KEY   |      |  interface
   +---|---------------------|-----------|------+
   |   v                     |           |      |
   |+-------+   +------------|-----------|-----+|
   ||ULP    |   | IPsec   key|manager    |     ||
   |+-------+   |            |  +--------v----+||
   | ^  ^       |            |  | Logical SPD |||
   | |  |       |            |  +-----------^-+||
   | |  |       |            +-------+      |  ||  kernel mode
   | |  |       |                    |      |  ||
   | |  |       | +----------+    +--v--+   |  ||
   | |  +-------->| Latch DB |<-->| SAD |   |  ||
   | |          | +----------+    +--^--+   |  ||
   | |          +--------------------|------|--+|
   +-|-------------------------------v------v---+
   | | IPsec Layer  (ESP/AH)                    |
   | |                                          |
   +-v------------------------------------------+
   |   IP Layer                                 |
   +--------------------------------------------+
_______________________________________________