On Fri, Mar 27, 2009 at 11:56:41AM -0700, Jarrett Lu wrote: > I don't yet see a good way to solve this problem using bits on the wire. > The agreement on what label encodings or security policy to use seems > better solved in an out of band manner. For example, on a (secure) > website, you can say "download this label encoding file or configure > your MAC system with this policy and use DOI number 5. Then we can talk". Well, you could use a PKIX certificate extension, or a Kebreros V ticket authorization-data and ticket extension to point to the actual DOI rules. But the simplest thing, given that most nodes will participate in a single DOI, is to configure this when the node joins the network (when it gets whatever credentials it needs). In practice this is exactly what happens -- out of band delivery of what Solaris TX calls "label encodings." > BTW, CALIPSO with IP module has the same issue. While the spec talks a > lot about how a CALIPSO system should behave, CALIPSO can't tell its > peers to use a particular label encoding. That's done outside CALIPSO. BTW, you're using the Solaris TX meaning of "label encoding" but CALIPSO uses the term "encoding" in a very different way (or two: one in relation to how to represent releasability, and the other for actual bits on the wire). We should be careful to use terminology that we all understand. What you've been calling "label encoding" CALIPSO calls, I think, "a particular set of policies which define the Sensitivity Levels and Compartments present within the DOI, and by inference, to the "real world" (e.g. used on paper documents) equivalent labels" -- very wordy, that! > I believe it's still worthwhile to request adding a DOI + an opaque > field in NFSv4 protocol. The spec should be clear that other > arrangements need to be made before interoperability can take place. I agree. I believe that negotiation of the "particular set of policies which..." is something that belongs in the authentication facilities, or else out of band -- either way that is completely outside the scope of this document (and even the RPCSEC_GSSv3 document). > CALIPSO spec has considerations in how routers can support DOI and MLS > labels. I don't believe that affects or harms NFSv4 in anyway, as > routers won't look at NFSv4 stuff. Indeed. What CALIPSO does though, is require that end-points select packet labels that dominate the labels of the data being sent. Nico -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
