[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng) More Endpoint Attributes
Ted writes:
... and indeed I believe that's the way the architecture was designed to
deal with this. You basically use the IP Security Option for IPv4, and
I believe that IPv6 was going to a similar option similar to IPSO to
handle this.
In which document would this be discussed? Ran's overview and AUTH specs
talk more about using the SAID to carry the IP sensitivity label
information, unless I misread that. There is no mention made of using
IPv4 options for that purpose.
In any case, it certainly seems clear, as we have both observed, that
trying to encode this information in the SAID is the wrong place to do
this. (I believe the right place is in the IPv4 or IPv6 options field,
ala IPSO.) In any case, this palces this functionality out of scope of
IPSEC.
The IPSO options only solve part of the problem. Basically, they are
only useful handling the sensitivity label at the network level.
Here the label is used for deciding whether to allow data into or out
of a given host or router and for making routing decision.
They have been used in the past to a limited extent to allow for
modulating the sensitivity label at session level, but only because there
are MLS vendors who do not support TSIX (or some earlier MaxSix variants).
And in both of these case the IPSO option (and the TSIG CIPSO option) are
limited to the extent that IPv4 option space is limited. That is, they only
work if the MLS compartments can be squeezed into the available space.
For IPSO that imposing an absolute ceiling of ~200 compartments (in our
product we limit it to 16 byte or 128 compartments). The TSIG CIPSO has
variants which in effect allow for compression to occur and may allow
for more compartment combinations to work, but it also has limitations.
But in any event, both of these only handle the sensitivity level.
We would need to define another variant that provides something similar
to what Dean suggested. This is certainly feasible, if this ability
of using IPv4 options (or variants) is available to us.
References: