[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) More Endpoint Attributes

To: ipsec@ans.net
Subject: Re: (IPng) More Endpoint Attributes
From: Andy Bayerl <bayerl@zk3.dec.com>
Date: Thu, 16 Mar 95 13:07:38 -0500
In-Reply-To: Your message of "Thu, 16 Mar 95 11:33:06 +0500." <199503161633.AA25957@interlock.ans.net>

Ted writes:

    ... and indeed I believe that's the way the architecture was designed to
    deal with this.  You basically use the IP Security Option for IPv4, and
    I believe that IPv6 was going to a similar option similar to IPSO to
    handle this.

In which document would this be discussed? Ran's overview and AUTH specs
talk more about using the SAID to carry the IP sensitivity label 
information, unless I misread that. There is no mention made of using 
IPv4 options for that purpose.


    In any case, it certainly seems clear, as we have both observed, that
    trying to encode this information in the SAID is the wrong place to do
    this.  (I believe the right place is in the IPv4 or IPv6 options field,
    ala IPSO.)  In any case, this palces this functionality out of scope of
    IPSEC.

The IPSO options only solve part of the problem. Basically, they are 
only useful handling the sensitivity label at the network level.
Here the label is used for deciding whether to allow data into or out
of a given host or router and for making routing decision.

They have been used in the past to a limited extent to allow for
modulating the sensitivity label at session level, but only because there
are MLS vendors who do not support TSIX (or some earlier MaxSix variants).

And in both of these case the IPSO option (and the TSIG CIPSO option) are
limited to the extent that IPv4 option space is limited. That is, they only
work if the MLS compartments can be squeezed into the available space.
For IPSO that imposing an absolute ceiling of ~200 compartments (in our
product we limit it to 16 byte or 128 compartments). The TSIG CIPSO has
variants which in effect allow for compression to occur and may allow
for more compartment combinations to work, but it also has limitations.

But in any event, both of these only handle the sensitivity level.
We would need to define another variant that provides something similar
to what Dean suggested. This is certainly feasible, if this ability
of using IPv4 options (or variants) is available to us.

References:

Re: (IPng) More Endpoint Attributes

From: Theodore Ts'o <tytso@MIT.EDU>

Prev by Date: Re: (IPng) More Endpoint Attributes
Next by Date: Re: (IPng) More Endpoint Attributes
Next by thread: Re: (IPng) Proposed Standard or no?
Index(es):
- Main
- Thread