Fernando,
Regarding this draft, I have some feedback with respect to CALIPSO
(in part because I am one of the co-authors of RFC-5570, which specifies
CALIPSO).
1. Section 4.3.9 makes an incorrect assumption.
Contrary to 4.3.9.5, an intermediate system (e.g., IP router) has no method
to learn or know whether or not it is deployed in an MLS-enabled environment.
An MLS-enabled IPv6 environment might well be using globally routable
addresses, so the routing prefixes in use are not informative about the
deployment type.
Further, the majority of routers in an MLS-enabled environment are ordinary
commercial off-the-shelf IP routers from the usual IP router vendors. Some
routers and firewalls in such environments might have MLS-enhancements,
but many more will NOT have MLS-enhancements. This is partly because
the MLS-enabled label enforcement only is needed at enclave boundaries.
Explicit configuration is the only method via which a particular deployed
intermediate system can learn whether or not it is in an MLS-enabled
network environment. This is sad, but also is reality.
SUGGESTED ADDITIONAL TEXT for 4.3.9.1:
"Explicit configuration is the only method via which a particular deployed
intermediate system can learn whether or not it is in an MLS-enabled
network environment."
2. As a result, the advice in 4.3.9.5 is not good or correct. Incorrect
assumption
above leads to an incorrect conclusion about advice on option handling.
My suggestion is to revise the advice in 4.3.9.5.
PROPOSED REPLACEMENT TEXT for 4.3.9.5:
“Intermediate systems that do not implement RFC-5570 SHOULD have
a configuration option to EITHER (a) drop packets containing the
CALIPSO option OR (b) to ignore the presence of the CALIPSO option
and forward the packets normally.”
“Intermediate systems that do implement RFC-5570 SHOULD have both
configuration options (a) and (b) from the preceding paragraph and
also a third configuration option (c) to process packets containing
a CALIPSO option as per RFC-5570."
"Such configuration is the only method via which an intermediate system
can know whether or not that particular intermediate system has been
deployed within an MLS-enabled environment. In many cases, ordinary
commercial intermediate systems (e.g., IPv6 routers & firewalls) are the
majority of the deployed intermediate systems inside an MLS-enabled
network environment."
Yours,
Ran
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
