[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject

Of course, in the IPv4 world we will still continue to use (C)IPSO
since we have no choice. That wouldn't seem to be related to this
discussion (unless IPv4 tunnelled thru IPv6 comes into play, but
I don't think so.)

The only concern I have is how the notion of the implied labelling 
scales to networks with a large number of compartments where the 
number of *potential* labels increases exponentially. Your model
assumes a small number of classifications (which scales linearly)
and a small comparment set. 

The solution may be simply a matter of using a subset of the compartments
for network labelling or restricting the number of active security  
associations with different labels between any 2 end points. 
We will need to keep this in mind when we get around to discussions
of how the S/A's are managed.

   It would be significant risk reduction to
   authenticate such IPSO (or CIPSO, though that is neither standard nor
   widely interoperable [we run multi-vendor tests of this once in a
   while] or well documented) labels end-to-end using AH, hence my
   concern that IPSO be included in the AH computation (as the Proposed
   Standard RFCs already require).

If we assume that vendors will be able to use the implied S/A labelling,
then whether or not (C)IPSO labels are authenticated may be moot.
If a vendor chooses to stick with IPSO then not authenticating is
certainly no worse than IPv4 and would give an incentive to using the
S/A labelling. I don't think I have a strong opinion one or the other.

BTW: Most MLS vendors that I know about support CIPSO. Sun and Sequent
     are the only exceptions I know about and I think Sun is working on it.
     I can't speak to how well it is documented by individual vendors
     and how easily configurable it is for other vendors. From the Digital
     perspective it is easily configurable in all of our MLS+ 3.x releases.
     The CIPSO specifications are accessible in the TSIG archives. 
     (I do not want to get into a discussion of why it is not an RFC,
      since that predated my involvement and I would rather let it lie.)

	/andy

Prev by Date: Re: AH & IPv4 options
Prev by thread: No Subject
Next by thread: IPSP Management Specifications was - Re: Managing IPSP
Index(es):
- Main
- Thread