[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Second, it would help if you used the terminology in the drafts. MAC is
not a term used in this context. SAIDs will not encode Media Access
Control information. (Yes, _I_ know you meant "Message Authentication
Code", but that implies the _result_ of the hash, which is called
"Authentication Data" in our drafts. Only the authentication _mechanism_
is indicated by our SAID.)
I think Dean was using yet a 3rd meaning to MAC which is very familiar
to the MLS CMW world, namely "Mandatory Access Control", which refers
to using sensitivity labels to strictly control access to data.
The security architecture document itself refers to *MAC* in that context:
5.5 USE IN COMPARTMENTED OR MULTI-LEVEL NETWORKS
A multi-level secure (MLS) network is one where a single network is
used to communicate data at different sensitivity levels (e.g.
Unclassified and Secret). Many governments have significant interest
in MLS networking. [DIA] The IPv6 security mechanisms have been
designed to support MLS networking. MLS networking requires the use
of strong Mandatory Access Controls (MAC) which ordinary users are
incapable of controlling or violating. Mandatory Access Controls
differ from Discretionary Access Controls in this respect.
(You did _read_ the document, did you not? :-)
There is a paragraph in there that I think may have Dean (and I also)
to infer that the document implied overloading the SAID with *MAC*
The Encapsulating Security Payload can be combined with appropriate
key policies to provide full multi-level secure networking. In this
case each key must be used only at a single sensitivity level and
compartment. For example, Key "A" might be used only for sensitive
Unclassified packets, while Key "B" is used only for
Secret/No-compartments traffic, and Key "C" is used only for
I (at least) had equated the *key* in this paragraph to the SAID.
- From: "William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>