[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
application APIs
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> An important feature of IPsec is that an administrator can impose
Stephen> security controls on traffic without having to rely on individual
Stephen> applications to be able to make these choices, and without having to
...
Stephen> For example, I assume that even if we have an API that apps can use
Stephen> to specify controls, that you would want some defaults and one way of
Stephen> configuring the defaults is via an administrator interface. Would
Stephen> that satisfy your goals?
Stephen, if you go see the original NRL API (which KAME is mostly a clone
of), it pretty much has everything you want:
1) admin can force things to be clear, or to be private.
2) applications can request services within the parameters given
3) some applications (priveledged ones) can override, particularly, IKE
daemons can get port 500 stuff out.
But, the NRL API wasn't perfect, and left lots of things to be desired.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPgYE9YqHRg3pndX9AQFCnAQAqjnB9F0gmWGlB5TPT/s9DSY/jS1NBrqo
dUeRqcsW8zshsh0Lgiiedc+8wh6t5QgxHOF9LtHaFbWE5VIwTL8IeuGkwAPpssut
6efS/hxqI3+BK2Okg75tcYaVKIfUq4X3ISkV8ZIrtlGVzA73VP3A74MkMIuB+u8a
2afZc6+faQg=
=KW7a
-----END PGP SIGNATURE-----