[fmac-discuss] Zones and Flask

Stephen Smalley sds at tycho.nsa.gov
Tue Apr 22 06:52:33 PDT 2008 

On Tue, 2008-04-22 at 09:45 -0400, William Young wrote:
> Stephen Smalley wrote:
> > On Mon, 2008-04-21 at 19:13 -0700, Bill Sommerfeld wrote:
> >> On Mon, 2008-04-21 at 22:05 -0400, Paul Moore wrote:
> >>> The problem is that there is not an IETF published specification which 
> >>> offers generic network labeling.  While there are some provisions for 
> >>> MLS labels in IKEv1 (I believe they were removed from IKEv2, need to 
> >>> verify this) there was never a generic label mechanism. 
> >> They were removed from IKEv2 (because of lack of implementation
> >> experience with them in IKEv1).  IKEv2 could be extended to add them
> >> and/or other label-like attributes.
> >>
> >> I'm reluctant to approach the IETF without implementation experience in
> >> hand to help drive the IETF processes to a speedy convergence. 
> >>
> >>> The current 
> >>> labeled IPsec implementation used by SELinux is non-standard and 
> >>> actually infringes on an existing IPsec/IKE specification.
> >> As a platform-neutral protocol I would suggest using something a little
> >> less SELinux-specific than an unstructured character string security
> >> context.  
> > 
> > A variable-length octet array would be fine.  What we don't want to do
> > is wire the security label fields/content interpretation into the
> > protocol - that is encapsulated by the security server aka policy engine
> > and partly defined through policy configuration.
> 	I don't follow.  Why would you think the other system has the same 
> policy engine?

We wouldn't.  As you said, there would be a DOI followed by the
unstructured variable-length octet array (which in our case is a
string).  

> 	I think you do need to encode abstract DOI + label...  The old neutral 
> proposal was IPSO, I think CALIPSO would not be a bad choice in this 
> context.

Except that it sounds like they are making the mistake of the past again
and limiting themselves to MLS-only labels.  Which is unfortunate when
there are flexible MAC systems in production use already, probably more
of them than MLS systems.

-- 
Stephen Smalley
National Security Agency

More information about the fmac-discuss mailing list