Please remember that it is up to the WG to define the work item. The I-D is
just a possible starting point, so if there's strong interest in this area, you
may wish to reach consensus on a charter item - and to convince the rest of us
that enough people are interested.
Thanks,
Yaron
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Nicolas Williams
> Sent: Friday, December 04, 2009 20:46
> To: Dan McDonald
> Cc: [email protected]; Joy Latten
> Subject: Re: [IPsec] Proposed work item: Labelled IPsec
>
> On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> > The bigger point being missed by this thread, I think, is that it
> > seems that any work in multi-level security needs to deal with
> > successful interoperability. If it doesn't, there's little point in
> > documenting a single-platform solution as part of a working group's
> > output.
>
> +1.
>
> The proposed work item is, at first glance anyways, too SELinux-
> specific.
>
> Note that SMACK encodes its labels as CIPSO labels, so a scheme that
> uses CIPSO can possibly be used in SMACK and non-SMACK environments, and
> possibly even be mixed.
>
> In any case, there have been lengthy threads elsewhere (saag, IIRC)
> about MAC interoperability.
>
> Some options to consider:
>
> - implicit labeling
> - derived from CERTs
> - derived from IDs
> - derived from network addresses
> - negotiated labeling
> - requires a DOI negotiation of some sort
> - each node asserts one, or more, or a range of labels (SMACK, for
> example, doesn't support the notion of label ranges) and the peers
> evaluate and narrow the assertion according to policy and produce
>
> All I see in the proposed work item is single label assertions. That
> strikes me as insufficient.
>
> Nico
> --
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
>
> Scanned by Check Point Total Security Gateway.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
