Re: [RFC 1/2] labeled ipsec internet drafts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-08-27 at 11:17 -0500, Joy Latten wrote:
> On Tue, 2008-08-26 at 16:24 -0400, David P. Quigley wrote:
> > On Tue, 2008-08-26 at 12:17 -0500, Joy Latten wrote:
> > > On Mon, 2008-08-25 at 17:42 -0400, David P. Quigley wrote:
> > > > On Mon, 2008-08-25 at 15:46 -0500, Joy Latten wrote:
> > > > [Snip...]
> > > > > 
> > > > > >>
> > > > > >>        - doi (1 octet) - The first octet contains the security
> > > > > >> label's domain of interpretation.
> > > > > >>
> > > > > >>          The domain of interpretation can be viewed as a group of
> > > > > >>          systems that agree on the meaning of particular values
> > > > > >> within the security label of a security mechanism.
> > > > > >>
> > > > > >>          The value of 1 is reserved as the default.
> > > > > >>
> > > > > >>          Reserved       0
> > > > > >>          Default        1
> > > > > >>
> > > > > >>        - algorithm (1 octet) - The second octet contains the security
> > > > > >>          label's algorithm.
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> Latten, et al.               Expires ?                          [Page
> > > > > >> 3] 
> > > > > >> Internet-Draft               IKEv1SecurityLabel                June
> > > > > >> 2008
> > > > > >>
> > > > > >>
> > > > > >>          The security label's algorithm specifies the security
> > > > > >>          mechanism or context in which the label is applicable. For
> > > > > >>          example, the security label is interpreted within the
> > > > > >> SELinux context.
> > > > > >>
> > > > > >>          Requests for assignment of additional algorithms should be
> > > > > >>          addressed to the Internet Assigned Numbers Authority (IANA).
> > > > > >>
> > > > > >>          Reserved       0
> > > > > >>          SELinux        1
> > > > > >>          Smack          2
> > > > > >>          Private Use    120-128
> > > > > >
> > > > > >Is one octet enough here?  I honestly don't have a good idea as to how 
> > > > > >much is enough, so a little justification of your choice (even if it 
> > > > > >only lives in email, not in the spec) would be welcome.
> > > > > 
> > > > > I used one octet here because it is defined as one octet in the kernel's
> > > > > sec_ctx structure. Originally, I think we used one octect for each
> > > > > to keep within a 64-bit alignment requirement for pfkey. We thought
> > > > > one octet would be enough...
> > > > > 
> > > > 
> > > > There are several documents being submitted as drafts to the IETF at the
> > > > moment and all of them have different definitions of a DOI.
> > > > 
> > > > In your method you pair a mechanism with the DOI to form something along
> > > > the lines of a (mechanism,policyversion) tuple. The question of if one
> > > > octet is enough to identify all potential policies in a mechanism is
> > > > unclear but I have a feeling the answer will be no.
> > > > 
> > > > The second method is in the SIPSO for IPv6 draft. In this the DOI is a
> > > > 32 bit value existing as 4 octets. They partition off what are
> > > > essentially address spaces to be used privately, by certain
> > > > organizations, and they also keep a block for IETF considerations in
> > > > later revisions of the specification. There is a lot of information in
> > > > the document and most of it pertains to MLS labels.
> > > > 
> > > > The third method is in the label support for NFSv4 draft. In this we
> > > > just define the DOI as a 32 big value. It is up to a translation daemon
> > > > to decide if the endpoint has the knowledge and desire to translate
> > > > labels from the foreign DOI to its own.
> > > > 
> > > > Regardless of which method is used we need to come to a consensus on
> > > > what a DOI is and how we are going to represent it. We can't go to the
> > > > IETF with 3 different definitions of a DOI.
> > > > 
> > > 
> > > I just now quickly glanced at the CALIPSO draft as I had not read 
> > > it before. I did read the labeled nfs draft a while back. 
> > > 
> > > I see what you mean. However, I guess I am feeling a bit wary since
> > > the CALIPSO draft's description of the DOI and it's format seem to be
> > > tailored specifically for MLS labels. The labeled ipsec's doi field had
> > > a broader purpose in mind. 
> > 
> > Yea, it is unfortunate that CALIPSO is only for MLS labels. IPv6 is
> > still growing in its deployment so it would be nice to have a robust and
> > flexible method for conveying security labels from the start. For now it
> > seems as if CALIPSO will try to go through just as MLS labels and then
> > DTE or other security labels will have to create their own IP security
> > option.
> > 
> > > 
> > > > > >I'm also concerned with the implied convention of assigning one value to 
> > > > > >a particular implementation.  In the SELinux case, how do you deal with 
> > > > > >a non-MLS/MCS policy such as Gentoo/Ubuntu talking to a MLS/MCS policy 
> > > > > >such as Fedora/RHEL?  What about policies with different types?  
> > > > > >Differing numbers of MLS sensitivity levels or categories?
> > > > > >
> > > > > 
> > > > > Hmm... not sure I understand so I may not answer this correctly...
> > > > > 
> > > > > The algorithm indicates the security mechanism.
> > > > > In a way, it identifies the syntax/semantics of the 
> > > > > security context to security mechanism, since security mechanisms 
> > > > > may use different syntax/semantics for the security contexts. 
> > > > > i.e. SELinux and SMACK.
> > > > > The algorithm field in SELinux is used to "authorize" the security
> > > > > context. In other words, SELinux only wants and understands
> > > > > SELinux's security context syntax/semantics.
> > > > > The "doi"  would be used for further differentiation within SELinux
> > > > > domain. Far example, a sysadm wants to differentiate between SELinux
> > > > > policy versions in his domain. He could used "doi" field to do this.
> > > > > 
> > > > > I suppose if you wanted two different security mechanisms to 
> > > > > interoperate, a mapping of some sort would have to be created
> > > > > between them. The security mechanisms would need
> > > > > to indicate they accept (via the mapping) the other's
> > > > > security context syntax/semantics. In other words, they would "authorize" 
> > > > > the two different security contexts. It would do this via the 
> > > > > "algorithm" and/or "doi" fields. I am thinking in this case, "doi" could
> > > > > even indicate the mapping such as CIPSO's DOI does. 
> > > > > 
> > > > > I considered the information contained in the "algorithm" and 
> > > > > "doi" fields required for interoperability, and the use
> > > > > implementation specific.
> > > > > 
> > > > > If this doesn't answer your question, let me know. 
> > > > 
> > > > I think what Paul might be asking is why is it better to have two
> > > > fields, one for Security Mechanism and one for the DOI when that can be
> > > > one field. If we go with a method similar to the second described above
> > > > for DOIs you could have IANA allocate a range of DOIs for SELinux
> > > > partitioning it off into a range for publicly assigned DOIs and
> > > > privately managed DOIs. It is acceptable to have IANA create and
> > > > populate a registry with values in the document.
> > > > 
> > > 
> > > Ok, I understand now. Yes, that seems reasonable, fair, and flexible.
> > > I can still keep semantics (a mechanism and ability to group or
> > > differentiate).
> > > 
> > > So, a doi field that is 32 bits, with perhaps so much for SELinux,
> > > further partitioned for public and private use. The same for Smack.
> > > Right? And remaining for future use.
> > 
> > The standards people don't particularly care about specific security
> > models in this case. I initially mentioned implementation specific
> > details in my early labeled NFS drafts and was told that those aren't
> > really a concern of the protocol. Since the label is a (DOI,<OPAQUE>)
> > tuple it is up to whomever obtains a number from IANA to define the
> > meaning of that DOI. However it should be written into the standard what
> > information is recorded by IANA to bind to these numbers. Also do we see
> > several registries? I really only see one registry that can be shared by
> > all three of these drafts. I just hope they don't want us to write up an
> > RFC for the definition and management of DOIs (it might happen that way
> > though).
> > 
> 
> Ok, gotta admit, I am a little confused as to how we could share the
> same DOI registry with CALIPSO since they are using a dotted-quad format
> right now? And it doesn't seem to accomodate but one DOI from IANA which
> leaves me confused as to how I would get one and then partition it for
> private and non-private uses.

Well we might need to talk with the CALIPSO people to figure out a way
that we can all use their DOI scheme. At its core their method just
seems to be a dotted-quad format as you have said. IANA's job is to keep
track of these dotted-quads. 

Excerpt from CALIPSO Draft

DOI Value                   Organisation or Use
      =======================     ============================
      0:0:0:0                     Null DOI; MUST NOT be used
                                  on any network at any time.
      0:0:0:1 to 0:255:255:255    For private use among
                                  consenting parties within
                                  private networks; for reasons
                                  of interoperability, these
                                  DOI values MUST NOT ever
                                  appear on the global public
                                  Internet.
      1:0:0:0 to 254:255:255:255  For assignment by IANA to
                                  organisations following the
                                  guidelines in the paragraph
                                  below.
      255:0:0:0 to 255:0:0:0      Reserved to the IETF for
                                  future use by possible
                                  revisions of this specification.


So according to this table IANA can assign anything in the range in section 3.

This means if you wanted to you could ask IANA to reserve
1:0:1:*-1:0:2:* for SELinux DOIs stating that anything in the class C
starting with 1 is public and starting with 2 is private.

I am just taking the CALIPSO mechanism for DOIs here and not the
requirements of how many are issued to what organizations and whatnot.

This would need to be something discussed at the BOF.

> 
> Because there is already a working prototype of labeled ipsec in
> Linux, I would have very much like to get assignments from IANA
> now for SELinux. I would like to make necessary modifications to Linux
> kernel and userspace soon as possible because it would seem odd to me to
> have an internet draft and a prototype that does not comply to it. It
> would also help to set a precedent of what would be required when asking
> for DOI assignments ( I hope I said that correctly).
>  
> > > 
> > > Would this be a consensus in regards to DOI for labeled nfs, labeled
> > > ipsec, and CALIPSO drafts?
> > > 
> > 
> > I would like to think that we could establish one definition of a DOI
> > for IETF documents. I spoke with several people at the last IETF meeting
> > and they said that we need to stay consistent here. I will be trying to
> > organize a security label BOF at the next IETF meeting so we can sit
> > down and discuss the way things should work. I doubt this will spawn a
> > working group for security labels but we could come to a consensus on
> > certain things.
> > 
> 
> Ahh, ok. Please let me know if you schedule this BOF.
> I guess my concern is I want to get my drafts submitted now.
> Because there is a working prototype, I felt it best
> to go ahead and ask for the IANA assignments now.
> But I do agree with what you are saying... just need to figure
> out how I should proceed...

Don't fall into the same trap that I did initially thinking that just
because you submitted a draft that it is set in stone. It is common for
a draft to change many times even before it hits the implementation
phase of the standards process. Then once you have multiple people
implementing the standard you will probably run into other problems that
you didn't think of initially. It is a good idea for you to submit the
draft with your concept of a DOI at this point since it gives us several
drafts to consider in the BOF. 

Something else to remember is that the fast paced development model of
the Linux community doesn't mesh well with the IETF process. I was at
the NFSv4 WG meeting in Dublin and I had asked about getting my work
added to the charter. They said it could be done between meetings which
is a good thing. To this I responded that it was good that this could be
done quickly and that I didn't have to wait four months to get it done.
One of the directors replied well four months is quick. So patience is a
virtue in this venue.


About the BOF, I sent an email to the Security Area Director about
setting up a BOF and it was suggested that we start with a Bar BOF
first. This type of BOF isn't as formal as a normal one but regular BOFs
are usually formed for the purpose of trying to start a working group.
Even though it is an informal BOF it still needs to have a clear purpose
and a set of goals to accomplish. The main issue I see at the moment is
going to be DOIs. Like we've seen we have three competing definitions of
them and it would be nice to nail it down to one that we can all agree
on.

However this doesn't necessarily have to be the only thing we discuss.
When I post the information about the Bar BOF I am going to do a call
for participation for other topics as well. For all we know there might
be other security label people lurking in other working groups that
might have topics they want to discuss.

Dave

> 
> regards,
> Joy


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux