On Mon, 2009-12-07 at 18:41 -0600, Nicolas Williams wrote: > On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote: > > On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote: > > > On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote: > > > > Why spend the time and effort to develop two specifications (not to > > > > mention the actual implementations) when one IP option based labeling > > > > spec could solve both use cases at the same time? > > > > > > Because sometimes you want to put sensitive traffic on public networks, > > > without the overhead of tunnel mode (until we can get the world to go > > > beyond 1500-byte datagrams, overhead IS a problem). > > > > It is worth noting that this does introduce a scalability concern in the > > case > > where a system communicates with another using a large number of security > > labels. It is only made worse on systems that have "rich" security labels > > which consist of more than just MLS attributes; e.g. SELinux labels contain > > user, role, type and MLS ranges, each unique combination represents a new > > label and in the case of labeled IPsec, a new SA. It is possible that a > > traditional, unlabeled IPsec configuration which would only use a single SA > > could potentially expand to several thousand SAs depending on the number of > > security labels in use for that particular policy. We've already seen > > issues > > related to this with SELinux. > > For any discrete packet flow (say, a TCP connection), it makes no sense > to have more than one label or clearance range. Thus at worst you end > up with a narrowed SA pair (or two, during re-keys) per-flow. > > For protocols like NFS you'd have to do labelling in the protocol. > I.e., for NFS you'd let IP/IPsec determine the labels/clearances of the > client and server, and then the client and server would deal with > labelling of files and user processes'/threads' actions. > > IOW, the number of SAs will be bounded by the number of concurrent, > discrete packet flows, not by the number of labels. >
I could be misunderstanding what you are saying, but I agree with Paul here. When using a MAC that employs labels using other security attributes in addition to the MLS attributes, there can be more than one SA-pair per flow. For example, SELinux uses user:role:type:mls-attributes. There can be a large number of "types" defined by MAC system for the type attribute. So, although mls-attributes may be the same for two different TCP connections, if the "type" is different, then that implies 2 different labels, one for each of the TCP connections. Thus an SA-pair is needed for each of the two TCP connections on the flow. regards, Joy _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
