On Sun, 2009-11-29 at 19:59 -0500, Stephen Kent wrote: > I think that there has been insufficient discussion of whether those > who wish to make use of IPsec to enforce mandatory access controls > require the facilities described by the folks who have proposed this. > At the WG meeting 2 weeks ago I made two observations: > > - possible use of CIPSO for carrying labels had not been > fully discussed > - use of tunnel mode to protect such labels in the inner > header did not appear to have been considered
The drafts do mention IPSO/CIPSO. They also acknowledge that FIPS-188 describe the use of free form tags that would allow additional security attributes. However, there is nothing protecting the data and heading, including the security context. Nor is anything preserving or protecting the bindings between the data and security context. Only IPSO is a standard and it was designed to support security labels used by DoD. Yes, I agree, tunnel mode could be used to protect the data, header, security context and thus bindings. However, it seem useful that, if you are going to deploy IPsec in a MAC environment, it included a mechanism to handle labels too. The method described in the labeled ipsec drafts was originally designed using ikev1. Perhaps thru further discussion this method could be refined and improved upon for ikev2. > I think it is incumbent on those who wish to pursue this work to > provide more persuasive arguments. It also seems appropriate to have > a discussion of whether mandatory, label-based controls are > sufficiently mainstream to warrant bringing them back into IPsec at > this time, or whether this is more of a research topic. > I believe they are becoming more mainstream. For example, SELinux and Simplified Mandatory Access Control (SMACK) in Linux Operating System and Mandatory Integrity Control in Windows Vista. However, I am also inclined to agree that at this time it could be argued to be more a research topic. regards, Joy _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
