On 04/01/09 09:46, Paul Moore wrote: 
On Wednesday 01 April 2009 03:46:58 am Jarrett Lu wrote:

[ ... ]

  
The challenge of interpreting and translating labels is that one system
needs to know a lot of info about its peer. And there is no good way to
describe the (sometimes subtle) difference. I think this problem may be
harder on DTE systems than on MLS systems, I believe.
    

I'm not sure we will ever be able to arrive at a solution that requires a 
system to be able to understand the security policy/labels of another; things 
change to much and I don't think anyone's crystal ball is that good.  
Personally I think the best we can do is hope for a solution that allows a 
system to understand a security policy/label system defined by a pre-existing 
DOI definition.  If we can do that then we can at least allow two different 
systems to communicate via an agreed upon DOI regardless of their internal 
security policies/labels.  I'll admit it isn't perfect, but I think the 
problem space is much smaller and likely to have less churn over time.

This comes back to semantics of DOI. So far, I heard two slightly different versions:
(1) DOI is a key to a set of label parsing functions. Knowing the DOI value implies the parser on the system knows how to parse the octet string in opaque field. It says nothing about whether a peer's label can be correctly interpreted. I believe Daivd's draft uses this definition. (2) In addition to being able to parse the opaque field, DOI also implies communicating systems have consistent label policy and encoding. Systems with inconsistent policies are not supposed to use same DOI. This definition is closer to the CALIPSO DOI, and is how MLS systems use DOI today.

While (1) is easier to specify on the wire, I am not clear on what it takes to use it safely even when OOB methods are used. Since this definition doesn't say who should use this DOI and who is not supposed to, what happens when a node, which has not consented to the agreement over the OOB method, uses the same DOI and octet string format but with inconsistent label policy? (2) has an easier usage model, IMO. But it's harder to define a "pre-existing" DOI., e.g.  define DOI X to mean vendor ABC, OS version 1.0, label policy 2.0, label parser version 3.0, etc., and store that in some kind of registry. I think Nico's "URL during authentication" idea is interesting.

Ultimately I believe that the required label translation information
(wire/DOI label to internal and the other way around) is going to need to
be bundled with the system's security policy and distributed as a single
"package". Granted this does require prior knowledge of the DOIs in use
but I believe this is a much easier requirement than the opposite.  From
a practical point of view this isn't too far removed from the notion of
sending sending label encoding data upon joining the network, the big
difference is that we are sending both security policy and label
encoding/DOI-translation data at the same time (in the TSOL case I
suspect this would just be the label encoding data, which may mean the
original poster had this in mind).
      
Depending how different the systems are, the "package" content will be
different.
    

Yep, that is the point; squares hole need square pegs, round holes need round 
pegs.

  
Assuming we can assemble all the information required to do
label translation correctly into a package, passing that around the
systems seem inefficient, non-scalable ...
    

Honestly I don't see it as being that far removed from many of the current 
solutions that ship "security policy" to individual systems through the 
network/enterprise.  Also look at some of the NAC stuff that is being used 
these days, how is a security policy/translation "package" all that different 
from an anti-virus update or a set of os/application patches?

It is a solvable problem, or at least one that users have shown a willingness 
to tolerate.

I was thinking how to do that within a protocol enhancement.

  
... and probably outside the scope of labeled NFSv4 enhancement.
    

Perhaps.  Keep in mind I'm trying to think a bit more generically; if that 
isn't the goal I'll be happy to go back to my corner and sit quietly :)

  
So realistically, I think the DOI + opaque label is useful between very
compatible systems.
    

Of course.  I agree there are a lot of things you can do with a DOI + opaque 
label, especially if you are only concerned about end-to-end security issues 
which I believe is the case for labeled NFS.

  
Given that limitation, may be the "package" is small enough and can be
passed in RPC layer during authentication so that MLS can share files with
like MLS systems, and same is true for DTE, fmac, smack, ....
    

Well, I think all that the opaque label buys you is the ability to limit who 
you share the security policy/translation "package" with, as those systems 
that participate in the labeled communication (be it NFS, generic IP or some 
other random service) still need to worry about label translation and security 
policy differences if they want to enforce policy locally.

I am still trying to understand what is needed to make safe sharing possible. BTW, are you implying that it's always necessary to do one label translation, e.g. from on-the-wire format to a native label format?


Jarrett