However, the access control semantics of RFC4301 depend on the SPD being
ordered, and SPD de-correlation is intended to preserve the access
control semantics of a pre-de-correlation, ordered SPD. N'est ce pas?
My view was that app-driven rules, in the model we'll describe, are
inserted into a normal SPD and then de-correlation is done again in
order to install the new SPD.

Implementors may choose to do this differently, provided that they
maintain the same semantics.

Marking an insertion point into the SPD -- bissecting it -- is the
equivalent of what you propose: all the rules ahead of the insertion
point for unprivileged apps are 'S' and all the rules behind it are 'U'.

We need a canonical model only to explain what the correct semantics
are, not to dictate implementation.

I fully expect that some implementations will do something really
simple, like: unprivileged app-driven PROTECT rules go at the back of
the SPD, while privileged app-drive BYPASS rules go at the head of the
SPD. I expect such an implementation to match the semantics of that
we'll describe for PROTECT OR BYPASS (and not because we should describe
what implementations that have this feature do, but because this is
fairly natural).

Nico
--

OK, then we need to make sure that this, and analogous restrictions,
are stated explicitly.
If we restrict the sorts of SPD entries top which BTMS applies, then
the problem I cited does not arise. Otherwise, we have a scenario in
which there is an extant, BYPASS SA and a new, PROTECTED SA, and
there is no way to decide which traffic belongs on which SA, based on
the cached SPD entry model defined in 4301.
How one uses entries in the SPD caches and in the forwarding tables
to create nesting of SAs is already defined in the 4301 model. That
was not my concern.

I admit that I do not understand how connection latching is realized
relative to the 4301 model. When I look at your connection latching
I-D, I see some new terms, e.g., "template" PAD entry and "cloned"
PAD and SPD entry, and an informal description of how to use them to
effect connection latching. I didn't see a description of how the
4301 model is extended to accommodate these new features. I think
that needs to be part of the document, i.e., a comparison of how 4301
describes packet processing vs. what will now be required, and an
analysis of why the changes do not undermine the security provided by
4301.

Additionally, if there are any changes that affect the performance
features of 4301, e.g., the ability to cache de-correlated SPD
entries, that too needs to be addressed. For example, an important
feature of 4301 is the use of caches, to avoid the need to search the
SPD for each outbound packet, or to search it to verify that a packet
received on an SA was consistent with the access controls for that
SA. The text in the connection latching I-D does not make clear if
the same processing model applies, given the references to cloned and
template PAD and SPD entries

Also, whereas the BTNS I-D describes adding ONE new PAD entry, at the
end, to allow communication with unauthenticated peers, we have been
discussing much more elaborate capabilities, which require multiple
new PAD entries, insertion at other than the end of the PAD table,
restrictions on the types of SPD entries can can be safely used (as
you explained above), etc. These are not in the BTNS I-D, and they do
not appear to be in the connection latching I-D.

Steve