On Thu, 12 Mar 2009, RJ Atkinson wrote:
A single UDP/IP session (one example is ONC RPC, but that is not the only example) between a pair of nodes might have different packets with different Sensitivity Labels. This is also described in the draft.
I took one of Lars' concerns as having essentially multiple different sessions (with different labels) under a single session as being a problematic. I don't see why such approach is needed and this is the right place to handle this, and even done like this, why this could not be solved using other approaches (e.g. destination option).
In the special case where a node or link is not MLS, then the edge router facing that non-MLS link inserts/removes the labels on behalf of those (typically MS Windows) systems -- as described in the document.
This breaks RFC 2460's assumption that boxes in the middle don't add or remove options or headers. Problems caused by this are both architectural and technical; one technical issue not (AFAICS) addressed in the text happens if the packet size would exceed MTU when the option is added.
L3 VPNs simply aren't, and never have been, an ACL mechanism for drop/no-drop decisions on a per-packet basis.
Access lists and various other access control mechanisms have been applied in almost every conceivable place in the architecture, however.
If the label were a destination option, then routers would be incapable of applying ACL rules (drop or not drop) based on this option, and could not enable non-MLS end systems to participate in the MLS deployment.
Not true. Routers can have code that examines the content of the destination options of a packet. I have a recollection that there are multiple implementations already capable of doing that.
Just to apply ACL rules, hop-by-hop option is not necessary, though from some perspective, it may be the simplest approach.
THe reasons a router wants to look at this option are: 1) to decide whether to drop the packet rather than forward it out some interface or accept it in from some interface. This is also described in the document. [Cisco even has some documentation on this if one grep's for RFC-1108 in their IOS manuals.]
Again, regular ACLs inspecting content are able to do that.
2) to decide whether to insert/remove a label from a packet, in the special case of packets from/to a non-labelled link, as described in the draft.
This has issued mentioned above, but even if it is true, equally possible would be to do that insertion with dst options or some other marking.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
