Re: Comments on IPSO and AH/ESP

[Ran Atkinson <rja@bodhi.nrl.navy.mil>]

Andy,

  Thanks for your note.  I'm pleased to hear that we share somewhat
similar views on security labeling.

[BEGIN ASIDE:
  My hangup with CIPSO interoperability is that different vendors have
implemented different subsets of the possible "tag types".  So if
vendor A has implemented one subset, vendor B has implemented a
slightly different subset, and vendor C has implemented a third
slightly different subset of the tag types -- then users have a
hard time getting all 3 kinds of systems talking (in some cases,
we can't find a tag type that has been implemented by all of the
systems that we are trying to get to talk with
each other).

A _vast_ improvement would be to require that all vendors implement at
least one or two of the tag types so that users could at least be able
to buy a CIPSO system and know that it is possible to get it to talk with
a CIPSO system from any arbitrary different vendor.  That, regrettably,
is not true today, though it could be true in the future.

I agree the TSIG/IETF history is best left aside at this point.
END ASIDE]

Your inputs/advice on how to ensure that a Security Association's
Implicit Label is flexible enough to meet MLS needs would be most
welcome.

Its highly desirable that the Internet community get this right and
your experience could well help us avoid some pitfalls.  I had been
hoping there would be more discussion of this in the context of
NSA's ISA/KMP draft, but there hasn't been a lot of discussion of
security association mgmt just yet.

Regards,

Ran
rja@cs.nrl.navy.mil

---

• Prev by Date: Re: Comments on IPSO and AH/ESP
• Next by Date: Re: SKIP (Security on the IP Layer) Sources [OOPS] (fwd)
• Prev by thread: Re: Comments on IPSO and AH/ESP
• Next by thread: IETF PKI WG mailing list
• Index(es):
  • Main
  • Thread