[fmac-discuss] Zones and Flask
Stephen Smalley
sds at tycho.nsa.gov
Tue Apr 22 07:08:40 PDT 2008
On Mon, 2008-04-21 at 22:50 -0400, Paul Moore wrote:
> On Monday 21 April 2008 9:59:30 pm Bill Sommerfeld wrote:
> > On Mon, 2008-04-21 at 21:33 -0400, Paul Moore wrote:
> > > Except they would still be saddled with all of the management
> > > overhead of IPsec.
> >
> > maybe it's a matter of what you're used to always looking easier than
> > the unfamilar, but in my experience, the administrative overhead of
> > setting up IPsec is trivial compared with the administrative overhead
> > of setting up sensitivity labeling. The stuff that Flask-type
> > systems looks even more complex than setting up sensitivity labels.
>
> While IPsec can be difficult to configure and manage, the complexity of
> configuring security labels on some of these systems can be amazingly
> complex. However, the administrators have to configure the security
> labels regardless of the presence of IPsec.
>
> > if ipsec could be configured "for free" would your objection go away?
>
> To me, IPsec is a poor choice for a labeling protocol; there are the
> reasons that have already been mentioned as well as a few other reasons
> related to implementation details and the loose connection of IPsec SAs
> to application layer sockets. In my mind fixing the IPsec management
> problem helps but it doesn't solve the underlying problem that IPsec is
> ill suited for labeling.
Just to clarify - the above is Paul's view, and not necessarily shared
by the rest of us (not by me, in particular). I'll certainly agree that
the implementation of labeled IPSEC was complicated to get right in
Linux, but I think coupling protection and labeling is the right model.
--
Stephen Smalley
National Security Agency
More information about the fmac-discuss
mailing list