Re: [LinkSec] Meeting Notes: 04 feb 2003
I will try to respond to this terse description. The first three bytes of
the SDE header look like a reserved DSAP. This can be used by a receiving
station or bridge for demultiplexing. The security association identifier
(SAID) is used for further demultiplexing. The SAID is used to lookup
which security services are associated with particular security
association. For example, the SAID is used to lookup the encryption key
and encryption algorithm. These in turn indicate how many octets, if any,
of the ciphertext represent the initialization vector (IV).
Russ
At 12:41 AM 2/8/2003 -0700, Mani, Mahalingam (Mahalingam) wrote:
>Marcus: (In reference to the Corporate Scenario slides posted by him
>2/3/03) which applicable models of interest are we going to pursue? As of
>Nortel's example: Router at the backend with high-speed switching;
>wide-area fabric is IP-based.
>
>no multi-tenanting arrangements. secure end-stn.-to end-stn. discussions
>previously discussed: elegant; complex and; requires a web of trust
>between end-stns; implying PKI/Kerberos to be suitable model of
>authentication and key mgmt.
>
>the other case is hop-hop with immediate next neighbor hop. 802.10 type
>crypto-aware vs. non-crypt-aware bridges.
>
>
>
>Norm: unable to tease how it works out of 802.10 doc.
>
>Marcus: not sure how it is supposed to work
>
>(reference to absence of Russ who could have thrown more light on the
>motivations in 802.10 in regard to this).