[fmac-discuss] Zones and Flask
Paul Moore
paul.moore at hp.com
Mon Apr 21 19:05:03 PDT 2008
On Monday 21 April 2008 9:43:31 pm Jarrett Lu wrote:
> Bill Sommerfeld wrote:
> > On Mon, 2008-04-21 at 19:03 -0400, Paul Moore wrote:
> >>> depending on securing a set of nodes (some of which may be
> >>> internal to the network) is unavoidable; depending on securing
> >>> every millimeter of cable between them seems like asking for
> >>> trouble when you can't see the middle and both ends of every
> >>> cable that matters.
> >
> > we could provide these very security aware people an off-menu
> > labeled ESP + null auth + null encryption for use with their "other
> > mechanisms in place" and avoid the need to build two different
> > label & security attribute negotiation protocols.
>
> This may be a reasonable place to start. Different people will have
> different needs based on security of their networks, their scalability
> requirements, and overhead they are willing to accept. If we can use
> an existing mechanism and offer options ranging from null encryption
> to double encryption, it sounds like a good starting point to me.
The problem is that there is not an IETF published specification which
offers generic network labeling. While there are some provisions for
MLS labels in IKEv1 (I believe they were removed from IKEv2, need to
verify this) there was never a generic label mechanism. The current
labeled IPsec implementation used by SELinux is non-standard and
actually infringes on an existing IPsec/IKE specification.
--
paul moore
linux @ hp
More information about the fmac-discuss
mailing list