SAs and SPIs

[Thomas Bartee <tbartee@pop.erols.com>]

        The subject of SA-SPI methodology and if it can be used to satisfy
current demands from business for security is clearly of interest to IPSEC.
It is good to see the quality and quantity of the correspondence on SA-SPI
usage.  There have been several questions to me asking for some more
details. (The Security Intellectual of the Week Award clearly goes to Ozan
S. Yigit at Secure Computing for identifying Kurosawa's Rashomon. Good shot.)

	1.  Let's return to SA-SPIs. First, the demand for security by businesses
is very large.  I suspect to have more than limited acceptance it will be
necessary for IPSEC products to satisfy the demand for operating procedures
which will enable businesses to not weaken their current operating
procedures if they transfer communications to the Net.  The practices I
wrote about are very real and widespread.  For example, I designed some
production control equipment for a small corporation.  The system was in a
locked room where only selected employees had the key. Other employees, even
those working in the same area, were not allowed access.  This corporation
made special electronics components for a number of manufacturers and also
plastic products for several larger corporations, including a major camera
manufacturer. (For example, they made plastic film containers for a major
camera manufacturer.  Employees in this operation were physically separated
from the other employees.)  Correspondences between the small corporation
and the larger ones they did business with, was carefully controlled and
engineering drawings, production data, etc. were carefully transmitted
either by courier or by registered, certified mail. I also did work for a
camera manufacturer where film development operations were divided into
separated projects that were carefully separated from camera development.
Engineering documents travelling from department to department were signed
in and out and transmissions to subcontractors were registered and signed
for at the receiving end.
	These practices are widespread.  My experiences with EGG, Raytheon, and a
host of others were similar. Recently I had some correspondence with a
biotech company where employees in one development section were physically
separated from other employees. All inter-corporate communications were
carefully controlled and also the members of this division were warned to
not betray progress (or the lack of it) by appearing very happy (or sad)
when passing other employees.
	It is hard to believe that in the long run Ford will be happy if GM (also
on the Auto Industry Net, see Dave Kemp for a good comment) can access Ford
key material related to correspondence with parts suppliers, consulting
firms on development projects, etc.  Remember, Ford, Chrysler, and GM are
international corporations.  The extent to which their branches will want to
use the net for subcontractor and branch-to-branch communication will be
largely dependent on the users' confidence in the security of the system.
Usage will also depend on the ease with which secure subnetworks can be
implemented, and taken down.
	Do not think large corporations are bound to a single LAN with one or more
WAN connections.  Flexibility and the ability to accommodate changing
corporate structures  (remember, they reorganize) and to establish and take
down secure communications channels to subcontractors will bear heavily on
the success of the IPSEC effort.  Rodney Thayer's comments are suggestive of
what I think the actual situation is.

	2.  NSA trained security analysts (I include anyone with a set of coloring
books) have built in mental associations that are immediately triggered when
the communications situation is more complex than the Dick wants to talk to
Jane and Henry wants to listen in or interrupt.  Any more complicated
situation is swept under a large rug labeled MLS.  Then another synapse is
triggered and we start hearing about B2, B1, C1, etc.  These are interesting
concepts and the fact we can use terms B2, C2,… without worrying that others
will not understand shows the pervasive effect of the color orange on book
readers (clearly there aren't enough books with orange covers.  Also, can
anyone name a film with orange in the title?)
	The digression into B2-land in SA-SPI comments is interesting but it seems
to me that we are here concerned with IP security and its usefulness in
protecting communications.  If employee X has access to data on project A
and project B and he wants to give it to someone, he can. His transmission
can be by Internet, but also by mail, telephone, meetings in a bar etc.
Breaking computers into compartments using a kernel is a worthwhile future
endeavor, but let us stick to the subject at hand, which is protecting
information on the Internet. The comments by Howie Weiss are first rate on
this subject, by the way.

	3.  The note from Steve Kent to John Shriver is very well put together.  I
am pleased to note that he has carefully hedged the term MLS and is also
careful to qualify the use of the term MLS and Security Levels by alluding
to compartments, etc.  Compartments and releases are the important things,
even for government usage. While the Military makes heavy use of the
categories Secret, Confidential, Top Secret, etc, which probably offer the
few examples of a pure hierarchical security situation, most of the
Government operates at a single level (controlled by NIST) and the
Intelligence operations almost all consist of compartments, all at a single
level (i.e., not multi-level but compartmented.) One of the points of my
Amgen example was to show commercial data is "compartmented" in the
often-used vernacular. (Steve knows this and so do Ran Atkinson and others
who have written comments.)  The point is that security structures are not
that complex and can be accommodated with careful design, but this design
step must be taken and not deferred. Steve's comments should be carefully
read by all.
	Ran Atkinson also has placed his weighty oar in the stream. I think John
Horton's comments on his comments and my offering are very clear and also
worth reading.  Horton's use of the word domain bothers me but his basic
idea is very clear. A good shot (but what is the organization alluded to?)
Returning to Atkinsons' note, I worry about pushing clear operational
requirements into a big box called security policy and then deferring
discussion of how given "policies" might be implemented.  From what I can
see commercial concerns operate with pretty much the same policy (always
remember levels can be shoveled into compartments.) Atkinson, who is
obviously very knowledgeable, gives a nice listing of presently existing
relevant documents and some ideas on how they could be used.  He also brings
up Bell-LaPadula and lattice theory springs into our minds (I taught lattice
theory at Harvard with the late and great mathematician Garrett Birkhoff,
who is regarded as the father of lattice theory, for several years.  I am
sympathetic to this but am afraid it is a diversion here.)  He also mentions
labels and these I suspect are important, particularly considering the legal
aspects of secure communications.

4.  The looked-for methodology and an example of the usage of this
methodology have not yet appeared.  Perhaps Steve Kent's assessment is right.


        I am not the Thomas Q. Bartee of MITRE whose address was on an early
submission.  He is my son. I had the e-mail ready to go in Friday.  Saturday
night he used the computer (after midnight, I was asleep) and placed his
name and address in a Eudora feature which then attached his name to my work
when I pushed the send button Monday morning.  I may threaten him with B2.
I am Thomas C. Bartee.

---

• Prev by Date: Re: manual keying and IPSEC conformance
• Next by Date: RE: manual keying and IPSEC conformance
• Prev by thread: Re: SAs and SPIs
• Next by thread: lengths of some specifiers
• Index(es):
  • Main
  • Thread