[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing

To: cfm@columbia.sparta.com (Carl F. Muckenhirn)
Subject: Re: Routing
From: Andy Bayerl <bayerl@zk3.dec.com>
Date: Fri, 17 Mar 95 09:55:59 -0500
Cc: ipsec@ans.net, barron@zk3.dec.com
In-Reply-To: Your message of "Fri, 17 Mar 95 09:20:51 EST." <199503171421.AA17360@interlock.ans.net>

Carl writes:

    I've seen the SAID described he can encode it that way. (I'll point out
    that if you do this it is really broken, since the data (not the
    association) should be labeled.

I totally agree. This was the ultimate gist of what we finally resolved,
at least until we can look into it more. Basically, given that we
can use IP4 options (such as RFC1108 iPSO or TSIG MIL STD CIPSO) with
strong authentication, we should have the means to make routing decisions
at MLS trusted gateways *guarding* MLS networks.

    I think MAC here means mandatory access control (classification or other
    rule-based discriminator). And if he thinks that off the shelf routers
    (presumably un-"trusted") will be allowed to provide MAC he needs to think
    about it again.

Off the shelf routers already provide MAC under IP4 in restricted
environments. Cisco routers (and possibly other, I am not sure) implement
at least some to the RFC1108 MAC capabilites (although I have found that
they get in the way more than anything). 

There are now also *trusted* routers from Network Systems and Harris
that provide the capability for TSIG CIPSO as well as RFC1108. And
the Boeing A1 LAN product also does so. And most MLS CMW products
can also act as routers, albeit expensive ones.

	/andy

References:

Re: Routing

From: cfm@columbia.sparta.com (Carl F. Muckenhirn)

Prev by Date: Re: Routing
Next by Date: Re: Routing
Prev by thread: Re: Routing
Next by thread: Re: Routing
Index(es):
- Main
- Thread