On Thu, May 15, 2008 at 12:11:03PM -0700, Jan Parcel wrote: > The assumption that things are under single administration is a huge problem > for my customers. The whole point of all this protection and security > and labeling is the post-9/11 requirements for cooperation BETWEEN > administrative departments, which means each one wants to gate between > themselves and others. So General Dynamics wants to be able to > REQUIRE labels partway through the route, and delete them later. > > Implicit labeling needs to be done carefully or be able to be turned off.
Er, middle boxes that add and later remove CIPSO labels add no real security (unless they also do IPsec BITW). Implicit IPsec labeling *does* add real security. But certainly implicit IPsec labeling should not interfere with middle boxes that do this sort of thing. IPsec cannot work between two peers if there's no cooperation (at least until we implement BTNS, and even then, that alone provides no peer authentication) between their administrators. Nico --
