Re: (IPng) More Endpoint Attributes

[Andy Bayerl <bayerl@zk3.dec.com>]

[I am replying to this on the ipsec list, since that is where this
 discussion probably belongs.]

You write:

    uid/gid info is very OS dependent.  Not just the exact usage, but
    the concept, and storage type.  It would be sufficant to represent
    Unix uid/gid info as a bunch of 32 bit values for all the systems
    I know of (or does the Alpha use 64bit uids and gids?), with an
    arbatary number of gid's.  Likewise a large integer would do for
    the pid as well. 

   [ and so on ...]

I agree that the attributes are OS dependent and may even vary between
differently configured hosts using the same OS and platforms. For example,
on MLS CMW systems the label encodings files may be different but there
may exist a reasonable mapping between the two. 

The issues have been addressed by the TSIG (Trusted Systems Interoperability
Group) specifications grouped under the name TSIX. We have MLS products
shipped which employ those specifications and have demonstrated
its use between heterogeneous UNIX-based platforms. I do not believe
anyone has as yet demonstrated operation against a non-UNIX platform
but I believe the concepts would work in that environment.

Briefly, in the TSIX model, the attributes are negotiated between the end points
as 32-bit tokens using and out-of-band token mapping protocol. The
protocol allows the end points to select domains of translation which
allow for the attributes to be represented (between the token mappers)
in ASCII or binary form. They also allow for tranforms to be applied
between local representations and the wire representation of the attributes.
Once the attributes have been mapped, the tokens are used in the end-to-end
communication.

---

• Prev by Date: subscribe
• Next by Date: Re: (IPng) Re: Proposed message on perfect forward security
• Next by thread: Re: (IPng) Proposed Standard or no?
• Index(es):
  • Main
  • Thread