Re: [nfsv4] [Labeled-nfs] New MAC label support Internet Draft posted to IETF website

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Fri, Mar 27, 2009 at 11:56:41AM -0700, Jarrett Lu wrote:
> I don't yet see a good way to solve this problem using bits on the wire. 
> The agreement on what label encodings or security policy to use seems 
> better solved in an out of band manner. For example, on a (secure) 
> website, you can say "download this label encoding file or configure 
> your MAC system with this policy and use DOI number 5. Then we can talk".

Well, you could use a PKIX certificate extension, or a Kebreros V ticket
authorization-data and ticket extension to point to the actual DOI
rules.

But the simplest thing, given that most nodes will participate in a
single DOI, is to configure this when the node joins the network (when
it gets whatever credentials it needs).  In practice this is exactly
what happens -- out of band delivery of what Solaris TX calls "label
encodings."

> BTW, CALIPSO with IP module has the same issue. While the spec talks a 
> lot about how a CALIPSO  system should behave, CALIPSO can't tell its 
> peers to use a particular label encoding. That's done outside CALIPSO.

BTW, you're using the Solaris TX meaning of "label encoding" but CALIPSO
uses the term "encoding" in a very different way (or two: one in
relation to how to represent releasability, and the other for actual
bits on the wire).  We should be careful to use terminology that we all
understand.  What you've been calling "label encoding" CALIPSO calls, I
think, "a particular set of policies which define the Sensitivity Levels
and Compartments present within the DOI, and by inference, to the "real
world" (e.g. used on paper documents) equivalent labels" -- very wordy,
that!

> I believe it's still worthwhile to request adding a DOI + an opaque 
> field in NFSv4 protocol. The spec should be clear that other 
> arrangements need to be made before interoperability can take place.

I agree.  I believe that negotiation of the "particular set of policies
which..." is something that belongs in the authentication facilities, or
else out of band -- either way that is completely outside the scope of
this document (and even the RPCSEC_GSSv3 document).

> CALIPSO spec has considerations in how routers can support DOI and MLS 
> labels. I don't believe that affects or harms NFSv4 in anyway, as 
> routers won't look at NFSv4 stuff.

Indeed.  What CALIPSO does though, is require that end-points select
packet labels that dominate the labels of the data being sent.

Nico
-- 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.