[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing

At 9:58 AM 3/17/95, smb@research.att.com wrote:

>There are certainly many possible ways to implement a security
>architecture.  It may be that the drafts are not clear.

That's true, I sometimes wonder what security architecture we are building.

>                                                          The intent of
>the current design is the SAID is strictly an endpoint concept, and is
>not known to intermediate hops.  It manifestly is not a security
>label.  I personally prefer the term ``key identifier'', from the
>SP3/SP4 drafts; it's much less confusing than OSIspeak.

I agree. (The following are random thoughs on a battle already lost, but
here goes.) If it's just a key-id (on a per-host basis) its hard to see why
32 bits are needed, 8 bits seem quite generous (256 simultaneous keys per
"host(or multicast group)-pair"). (I know, word aligned, faster parsers,
free bandwidth, ATM to the desktop yesterday ....)

>With the exception of the reserved values -- which are a concession to
>the need for other possible models of how to do things -- the SAID can
>be thought of as strictly a table index.  The table itself supplies the
>cryptographic algorithm identifier, the current session key, the
>security level, the expiration time, and any host-specific information,
>such as userid.

Sounds an awful lot like how I'd implement an SP3/4 device,  hmmmm.

>There is a missing architectural piece:  some IPv6 header or hop-by-hop
>option to carry a security label.  If ESP is deployed
>gateway-to-gateway or gateway-to-host, in a multilevel environment,
>there needs to be some way for the host and the encrypting gateway
>(which may or may not be a router) to communicate.

After my above comments about SAID size, I shouldn't even say anything in
the context of IPv6, but, oh well I'm here... One might expect that the
gov't agencies who worry about this (DISA, DIA, NSA mostly) may someday
provide a way of mapping the CIPSO/BIPSO/RIPSO stuff as either a data item
encapsulated with the IPv6-gram (I find it hard to call it a datagram,
headergram maybe), or an IPv6 option (i'm not up on the optioning
capabilities of IPv6) like the RIPSO/CIPSO/BIPSO.

>The SAID was not intended for this purpose for a number of reasons.
>First, of course, it was intended primarily for use in non-MLS

That's true, but what about other "rule-based" access control models, i.e.,
Barings bank derivative trades, Barings bank LOC extension, comptroller,

>                --Steve Bellovin