Re: [IPsec] Proposed work item: Labelled IPsec

Fri, 04 Dec 2009 12:53:52 -0800 

Please remember that it is up to the WG to define the work item. The I-D is 
just a possible starting point, so if there's strong interest in this area, you 
may wish to reach consensus on a charter item - and to convince the rest of us 
that enough people are interested.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Nicolas Williams
> Sent: Friday, December 04, 2009 20:46
> To: Dan McDonald
> Cc: ipsec@ietf.org; Joy Latten
> Subject: Re: [IPsec] Proposed work item: Labelled IPsec
> 
> On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> > The bigger point being missed by this thread, I think, is that it
> > seems that any work in multi-level security needs to deal with
> > successful interoperability.  If it doesn't, there's little point in
> > documenting a single-platform solution as part of a working group's
> > output.
> 
> +1.
> 
> The proposed work item is, at first glance anyways, too SELinux-
> specific.
> 
> Note that SMACK encodes its labels as CIPSO labels, so a scheme that
> uses CIPSO can possibly be used in SMACK and non-SMACK environments, and
> possibly even be mixed.
> 
> In any case, there have been lengthy threads elsewhere (saag, IIRC)
> about MAC interoperability.
> 
> Some options to consider:
> 
>  - implicit labeling
>     - derived from CERTs
>     - derived from IDs
>     - derived from network addresses
>  - negotiated labeling
>     - requires a DOI negotiation of some sort
>     - each node asserts one, or more, or a range of labels (SMACK, for
>       example, doesn't support the notion of label ranges) and the peers
>       evaluate and narrow the assertion according to policy and produce
> 
> All I see in the proposed work item is single label assertions.  That
> strikes me as insufficient.
> 
> Nico
> --
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to