>>>>> "Michael" == Michael StJohns <mstjohns@xxxxxxxxxxx> writes: Michael> Hi Joe - A quick disclaimer - although I was complicit in Michael> allowing this draft to be resurrected from 1992, I have Michael> had very little to do with it on this cycle. Michael> At 02:18 PM 10/2/2008, Joe Touch wrote: >> First, I don't agree with this document's recommendation in >> section 7.3.1. >> >> TCP's current definition of a connection is: >> >> local IP address remote IP address local port remote port >> protocol (e.g., TCP) >> >> I don't agree that treating each sensitivity level as a >> separate virtual network (Sec 3 of this ID) is the appropriate >> analogy. If that were the case, we'd need to redefine every >> Internet protocol to understand the pair [address, sensitivity >> level] as an identifier, and that is not realistic. Further, if >> we did need to do such an extension, there are other equally >> (or arguably more) worthy candidates, notably VPN-ID. Michael> A single level process at TOP SECRET does a passive open Michael> of the port (call it 666) and waits for connections. A Michael> second single level process at SECRET also attempts to do Michael> a passive open to the same port - but gets blocked Michael> because the port resource is being held by the TOP SECRET Michael> process. The SECRET process now has one bit of Michael> information about the TOP SECRET part of the host. By Michael> grabbing and releasing port resources, the TS process can Michael> signal data to processes at lower security levels. You're proposing a huge complexity increase for the TCP stack in order to get this covert channel protection. Now, I do understand the value of covert channel avoidance in these environments. However, I wonder what other ways have been explored. In particular, this draft focuses on V6. It's easy to create a new address on a V6 link. Have people looked at separating each virtual network interface onto its own address? I think you'd still need label options so that intermediate systems could enforce mandatory access control, but this might allow you to escape doing so much damage to the TCP implementation. If using multiple addresses doesn't work, what other mechanisms have people looked at? Are there other ways to decrease the bandwith of the covert channel to an acceptable level? _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf