[fmac-discuss] Zones and Flask

Jarrett Lu Jarrett.Lu at Sun.COM
Mon Apr 21 19:43:16 PDT 2008 

Paul Moore wrote:
> On Monday 21 April 2008 9:43:31 pm Jarrett Lu wrote:
>   
>> Bill Sommerfeld wrote:
>>     
>>> On Mon, 2008-04-21 at 19:03 -0400, Paul Moore wrote:
>>>       
>>>>> depending on securing a set of nodes (some of which may be
>>>>> internal to the network) is unavoidable; depending on securing
>>>>> every millimeter of cable between them seems like asking for
>>>>> trouble when you can't see the middle and both ends of every
>>>>> cable that matters.
>>>>>           
>>> we could provide these very security aware people an off-menu
>>> labeled ESP + null auth + null encryption for use with their "other
>>> mechanisms in place" and avoid the need to build two different
>>> label & security attribute negotiation protocols.
>>>       
>> This may be a reasonable place to start. Different people will have
>> different needs based on security of their networks, their scalability
>> requirements, and overhead they are willing to accept. If we can use
>> an existing mechanism and offer options ranging from null encryption
>> to double encryption, it sounds like a good starting point to me.
>>     
>
> The problem is that there is not an IETF published specification which 
> offers generic network labeling.  While there are some provisions for 
> MLS labels in IKEv1 (I believe they were removed from IKEv2, need to 
> verify this) there was never a generic label mechanism.  The current 
> labeled IPsec implementation used by SELinux is non-standard and 
> actually infringes on an existing IPsec/IKE specification.
>
>   

As Bill said, the labeling text was removed due to lack implementation. 
I believe
the consensus was that the labeling text will go back in when people 
actually
implement labels.

I believe an IETF specification on network labeling is very desirable. I 
just
don't think FMAC should wait for or depend on this specification. Such a
protocol specification can be controversial, as hinted by discussion so far
on this discussion thread. We should start by what asking what problem we
want to solve with a new labeling protocol. Without proper scope, I doubt
we will get very far.

Jarrett

More information about the fmac-discuss mailing list