[fmac-discuss] Zones and Flask

Will Young William.Young at Sun.COM
Fri Apr 18 17:17:28 PDT 2008 

Jarrett Lu wrote:
> Paul Moore wrote:
>   
>> On Friday 18 April 2008 10:51:15 am Stephen Smalley wrote:
>>   
>>     
>>> On Wed, 2008-04-16 at 12:24 -0700, Jarrett Lu wrote:
>>>     
>>>       
>>>>  Older versions of Trusted
>>>> Solaris supported protocols like TSIX which is capable of passing
>>>> richer security info. We abandoned support of TSIX (and other label
>>>> protocols) in TX as they create major problems in coexisting with
>>>> label unaware systems, among other reasons. Given the increasing
>>>> popularity of Flask technology and the number of implementations
>>>> out there, maybe it's time to think of a networking protocol which
>>>> enables efficient exchange of security info (e.g. security context,
>>>> privileges, etc.) as well as improving interoperability.
>>>>       
>>>>         
>>> Yes, I think that would be helpful.
>>>     
>>>       
>> I _strongly_ agree.  I also believe that any new labeling protocol needs 
>> to be developed in conjunction with the IETF with the goal of achieving 
>> at least an informational RFC.  Without IETF approval it will be 
>> difficult/impossible for us to get the necessary IANA reserved numbers 
>> which are important for interoperability with label unaware systems as 
>> Jarret points out.
>>   
>>     
>
> I agree we should start at IETF and try hard this time. One of the main 
> objection
> to CIPSO standards from IETF community is cleartext label and the assumption
> of a trusted physical network. With introduction of ongoing work on 
> labeled IPsec
> and labeled NFSv4, and future work on labeled routing and IP multicast, 
> I hope
> IETF realizes the activities and value in the labeled networking space. 
> I am hopeful
> we'll have better luck than the CIPSO standards effort.
>   
    I'm having trouble seeing the value of separating integrity and 
labeling.  For a middle system to  correctly examine a label it needs to 
have the ability to verify integrity.  If you are using IPsec for 
integrity and want an intermediary to participate then you would have to 
be able to have an SA at the label for the tunnel to the intermediary 
and an SA for the peer for transport integrity.

    If the system requires complete paranoia each party could transmit 
the intended transport SPIs and their label and the gateway could drop 
any mismatches..  Explicit labels could eliminate that stage, but I 
don't think that warrants the pain/cost of a variable size next hop ip 
option.

    Perhaps making CALIPSO a destination option would be a better stop 
gap measure.  This would imply one could do drop by label in firewalls 
but not route by label which I don't think will ever be valid in terms 
of integrity at the IP layer.
    Labeled gateways would then want to setup auto-tunnels that have a 
destination option on the outer header for unlabeled packets and could 
at some later point have integrity..
    -Will

More information about the fmac-discuss mailing list