[OpenAFS] data encryption

Derek Atkins warlord@MIT.EDU
04 Jan 2001 14:40:03 -0500


Unfortunately there is no standard API to obtain IPSec credentials.
Sure, different implementation _may_ decide to supply an API, but then
you'd have to figure out what IPSec implementation you are using and
code specifically to that.  However the fact remains that most
implementations DO NOT supply application-level access to SA creds.

Sure, we could standardize an API.  But first we'd have to come up
with one, and then we'd have to go through the process of
standardizing it.  Oh, yea, then we'd have to wait for it to get
implemented.  So I suppose in 2005 we might have this available...

But we're talking about the here and now, making changes to subsystems
that we control.  I'm not going to wait until Micro$oft decides they
want to support a (not-yet-created) standard API to access IPSec SA
credentials.  I'd rather get AFS encrypting now, thank you very much.


Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us> writes:

> > This would require at least as much processing power as just
> > encrypting AFS itself ;) The other problem with "just use IPSec" is
> > that application protocols don't benefit from the security
> > infrastructure.  I.e. an application cannot query the IPSec SA to find
> > out who sent a particular packet.
> This is an implementation limitation of current ipsec implementations.
> Do not assume this will always be the case.
> it's worth noting that ipsec is much more amenable to hardware
> accelleration than many other security protocols.
> 						- Bill

       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available