Please remember that it is up to the WG to define the work item. The I-D is just a possible starting point, so if there's strong interest in this area, you may wish to reach consensus on a charter item - and to convince the rest of us that enough people are interested.
Thanks, Yaron > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of > Nicolas Williams > Sent: Friday, December 04, 2009 20:46 > To: Dan McDonald > Cc: ipsec@ietf.org; Joy Latten > Subject: Re: [IPsec] Proposed work item: Labelled IPsec > > On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote: > > The bigger point being missed by this thread, I think, is that it > > seems that any work in multi-level security needs to deal with > > successful interoperability. If it doesn't, there's little point in > > documenting a single-platform solution as part of a working group's > > output. > > +1. > > The proposed work item is, at first glance anyways, too SELinux- > specific. > > Note that SMACK encodes its labels as CIPSO labels, so a scheme that > uses CIPSO can possibly be used in SMACK and non-SMACK environments, and > possibly even be mixed. > > In any case, there have been lengthy threads elsewhere (saag, IIRC) > about MAC interoperability. > > Some options to consider: > > - implicit labeling > - derived from CERTs > - derived from IDs > - derived from network addresses > - negotiated labeling > - requires a DOI negotiation of some sort > - each node asserts one, or more, or a range of labels (SMACK, for > example, doesn't support the notion of label ranges) and the peers > evaluate and narrow the assertion according to policy and produce > > All I see in the proposed work item is single label assertions. That > strikes me as insufficient. > > Nico > -- > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > Scanned by Check Point Total Security Gateway. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec