On Fri, 2009-12-04 at 12:46 -0600, Nicolas Williams wrote: > On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote: > > The bigger point being missed by this thread, I think, is that it > > seems that any work in multi-level security needs to deal with > > successful interoperability. If it doesn't, there's little point in > > documenting a single-platform solution as part of a working group's > > output. > > +1. > > The proposed work item is, at first glance anyways, too SELinux- > specific. > > Note that SMACK encodes its labels as CIPSO labels, so a scheme that > uses CIPSO can possibly be used in SMACK and non-SMACK environments, and > possibly even be mixed. > Yes, I agree.
Actually, we hoped the method we introduced was generic enough to accommodate both CIPSO and SMACK and any other MAC besides SELinux. We had hoped to do this by treating the security context as an opaque blob and introducing a DOI. I've actually discussed and collaborated about the "DOI" concept with Linux's CIPSO developer, and labeled nfs' developer. SMACK developer was included, but I do not recall if he said anything. We hoped that this "DOI" would not only be used by labeled IPsec, but CIPSO and others that use labels on the network. In a way, the "DOI" would help to identify the "mapping", thus perhaps allowing different MACs to talk to each other. Interoperability was and is a chief concern. However, I am sure the drafts most definitely can be improved upon. regards, Joy _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
