[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sensitivity Labels
> From: Ran Atkinson <rja@cisco.com>
> % C) Sensitivity Labels are ill-defined.
>
> Hardly. See RFC-1108.
>
I re-read RFC-1108, just to make sure my memory wasn't utterly failing,
and I found this statement at the very top, in the title:
U.S. Department of Defense
Security Options for the Internet Protocol
How does that apply to commercial implementations?
How does that apply to international implementations?
----
Moreover, these are examples of facilities for "explicit" labels, rather
than "implicit" labels (indicated per SPI) used for IP Security.
I find that the application of these labels are used for
particular objectives (from RFC-1108 page 2):
This option is used by end systems and intermediate systems of an
internet to:
a. Transmit from source to destination in a network standard
representation the common security labels required by computer
security models,
b. Validate the datagram as appropriate for transmission from
the source and delivery to the destination,
c. Ensure that the route taken by the datagram is protected to
the level required by all protection authorities indicated on
the datagram. In order to provide this facility in a general
Internet environment, interior and exterior gateway protocols
must be augmented to include security label information in
support of routing control.
What Internet routing protocols support this routing control?
How exactly are the proposed IP Security Sensitivity Labels used in
"network layer" routing without this routing control?
----
See also RFC-1457, which complains that there is no standard network
label format, discusses translation problems, and examines the current
status of labels in the protocol stack (including IEEE and ISO).
Indeed, RFC-1457 recommendations appear to indicate that implicit labels
are best applied at the link and transport layers, not the network layer.
----
Again, the RFC-1825 Sensitivity Label recommendations were misguided and
ill-defined, and implementation experience has shown that we have no
need of them.
I urge the WG to clearly indicate that they should be removed.
Bill.Simpson@um.cc.umich.edu
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: