On Thu, 2011-08-04 at 09:11 -0700, Casey Schaufler wrote: > On 8/4/2011 6:52 AM, Michael H. Warfield wrote: > > On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote: > >> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is > >> implemented completely within the kernel. It has no user space > >> component. There is no CIPSO equivalent for IPv6 due to the > >> expectation that all IPv6 implementations will use IPsec and > >> IPsec will address all security issues known to man and then > >> some. > > Oh, one other point... > > > > "due to the expectation that all IPv6 implementations will use IPsec and > > IPsec will address all security issues known to man and then some." > > > > Who's assumption? Certainly not that of the IETF. Sounds like some > > non-sense promulgated by some anti-IPv6 camps and sounds somewhat > > denigrating and disparaging.
> Sorry about that. I was a founding member of TSIG* and we had > a very uncomfortable set of interactions with IETF regarding > CIPSO and SAMP**. We were very forcefully told to let the IETF > provide for us, as we clearly didn't know what we were doing. > IPsec was the solution presented, it didn't provide the security > attribute transmission we required, and the systems that we > needed the solution for had been dismantled long before IPsec > was ready for deployment. Yes, there is some bitterness. The > Unix trusted systems community never recovered from the lack > of a standard that we could use to have the various vendor's > systems talk to each other. Gotcha. Yeah, I've been involved with several WGs at the IETF and was one of the original founders of the IDWG WG representing Internet Security Systems at the IETF. It's been described as the highest density of assholes per square meter on the face of the earth. I had an area director pull me into one of the "Emergency Preparedness WG" meetings one meeting just to sit in an critique the noise that was going on in that one (some of it centered around some disagreements between the ITU and the IETF and what should be provided for emergency responders). The discussion lead by the emergency responders could best be described as: "We like toast. Make the Internet make toast." No comprehension. No clue. I understand fully from both sides of those arguments. I'm equally sure they thought the same thing about us. I also understand that CIPSO was a draft for a common implementation of IPSO, RFC 1108, which seems to be largely DoD oriented. I saw the WG finished up business and the last draft expired back in 94 with no RFC (no biggie - XAUTH never got an RFC and I'm up to my behind in the Openswan XAUTH code). There's always been a certain level of tension between the purists in the IETF and others such as the military crowd or ITU or certain commercial interests. I took part in some of the discussions over making IPsec support mandatory in IPv6 back in the bad ole days of ITAR when crypto was a tightly regulated export restricted "munition". Yeah, back then, IPsec was presented as a be all and end all and they had dreams of end-to-end encryption for all. And here we are. Reality has had to set in. Sigh. Par for da course. > --- > * Trusted Systems Interoperability Group > ** Security Attribute Modulation Protocol > > > It's demonstrably false. We still have MD5 signatures on tcp packets > > used by BGP on IPv6 (I'm also a contributor to quagga in that very area) > > even though it was originally "expected" that AH would replace MD5 > > signatures for BGP authentication. That expectation went bye-bye many > > years ago. We still have Kerberos. I don't see anyone going back to > > telnet instead of ssh over IPv6. We still have SSL over IPv6. The very > > statement is facetious on its face and can't possibly be taken > > seriously. > You are of course correct. My comment was sarcastic and inappropriate. NP. I've been rightfully accused of worse myself. > > If SMACK does not support IPv6 then SMACK is broken. Fix > > it. > That is and has always been the plan. It's really a matter of getting > the hands onto it. It's a big project and will require more work than > I can plan on getting done in the short term. Well the short course should be just to get the CIPSO tags into IPv6, but that's just IP option 134, right? You really don't need to mess with IPsec one way or the other. I know, I know, there's the whole layer of API and management and what not around it, so it's obviously not so simple as simply adding the AF to those modules. But it should just parallel the v4 code and don't do anything special wrt the IPsec logic. > > IPv6 is a reality. > I never said otherwise. I believe you. Cool. > > Regards, > > Mike > Likewise, Casey Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users