On Wed, Apr 08, 2009 at 03:41:55PM -0700, Jarrett Lu wrote: > It's not clear to me how much information is sufficient to guarantee a > subset of policy is consistent so that labeled communication is safe and > correct. One extreme is to require systems to be configured identically. > As I understand it, roles/types on DTE systems usually depend on what > kind of applications are run on the systems, and the types are defined > to constrains what the applications can do on a system. In other words, > policy on different systems are most likely different.
Right, but presumably applications using NFS can be made to have identical sub-policies on all relevant NFS clients and servers. If not then why use NFS for such an application? Of course, there's the matter of home directories and random apps loaded on clients without server knowledge, but if you're using labeled NFS then presumably you have an infrastructure and site-/org-wide system administration that can ensure orderly application deployment. > >Jarret's point was that this is true even for MLS labels because a node > >might not know what the meaning of a given sensitivity and compartment > >are. This is not a problem for CALIPSO because middle boxes need only > >determine label dominance, but Jarret thinks that this is a problem for > >NFS. > > > > I believe this is a problem for MLS end systems (client and server), > even when CALIPSO is in use. If labels are defined differently on > different systems, e.g. same binary bit patten on two different systems > maps to different labels, label comparison is meaningless. The > underlying assumption is that if two systems use different label mapping > schemes, they should not be using the same DOI to communicate without > some sort of translation mechanism. The agreement of associating a DOI > with a particular label mapping is done outside of a protocol option > such as CIPSO (for IPv4) or CALIPSO (for IPv6). Just to be clear, > CALIPSO spec defines "on-the-wire" format of (MLS) sensitivity label > option for IPv6. It is not designed to communicate policy agreements > among systems. Based on this I think I'm ready to conclude that for MLS we don't need anything more than the DOI number/name to produce MLS policy agreement, though a URI scheme for naming policies (including version) would have better semantics. DTE does not seem as simple, though assuming common per-app sub-policies then it may be doable. Nico --
