On Dec 10, 2009, at 2:57 PM, Bill Sommerfeld wrote:
> On Wed, 2009-12-09 at 12:29 -0800, Jarrett Lu wrote:
>> I could be wrong here. I thought the opaque blob is passed as pay load
>> in IKE exchange, not as IP option in the header.
>
> There are multiple places where labels could appear on a p
On Wed, 2009-12-09 at 12:29 -0800, Jarrett Lu wrote:
> I could be wrong here. I thought the opaque blob is passed as pay load
> in IKE exchange, not as IP option in the header.
There are multiple places where labels could appear on a packet by
packet basis:
a) explicitly in each packet outside e
David P. Quigley wrote:
> On Wed, 2009-12-09 at 14:48 -0500, Paul Moore wrote:
>
>> On Wednesday 09 December 2009 02:31:16 pm Jarrett Lu wrote:
>>
>>> Paul Moore wrote:
>>>
I agree with Casey and David. I think the only way we stand any chance
of success is to develop a on
On Wed, 2009-12-09 at 12:31 -0500, Paul Moore wrote:
> On Wednesday 09 December 2009 10:21:30 am David P. Quigley wrote:
> > On Tue, 2009-12-08 at 19:57 -0800, Casey Schaufler wrote:
> > [snip]
> >
> > > > The term "DOI" has been used in traditional MLS system for about two
> > > > decades. In the
Paul Moore wrote:
On Wednesday 09 December 2009 02:31:16 pm Jarrett Lu wrote:
Paul Moore wrote:
I agree with Casey and David. I think the only way we stand any chance
of success is to develop a on-the-wire format that can be easily
internalized by a variety of implementations. For exa
On Wed, 2009-12-09 at 14:48 -0500, Paul Moore wrote:
> On Wednesday 09 December 2009 02:31:16 pm Jarrett Lu wrote:
> > Paul Moore wrote:
> > > I agree with Casey and David. I think the only way we stand any chance
> > > of success is to develop a on-the-wire format that can be easily
> > > interna
On Wednesday 09 December 2009 02:31:16 pm Jarrett Lu wrote:
> Paul Moore wrote:
> > I agree with Casey and David. I think the only way we stand any chance
> > of success is to develop a on-the-wire format that can be easily
> > internalized by a variety of implementations. For example, I know CIP
It is very clear that there is no common understanding among the participants
on this thread. I propose that we cut this off for now until we can figure out
what to do with the proposed work item.
--Paul Hoffman, Director
--VPN Consortium
___
IPsec mai
Paul Moore wrote:
I agree with Casey and David. I think the only way we stand any chance of
success is to develop a on-the-wire format that can be easily internalized by
a variety of implementations. For example, I know CIPSO is far from the
darling child of labeled networking, but due in l
On Wednesday 09 December 2009 02:06:04 pm David P. Quigley wrote:
> On Wed, 2009-12-09 at 12:31 -0500, Paul Moore wrote:
> > On Wednesday 09 December 2009 10:21:30 am David P. Quigley wrote:
> > > On Tue, 2009-12-08 at 19:57 -0800, Casey Schaufler wrote:
> > > [snip]
> > >
> > > > > The term "DOI"
Casey Schaufler wrote:
Jarrett Lu wrote:
Casey Schaufler wrote:
Jarrett Lu wrote:
Without rehashing the statements made in above discussion threads,
it's probably helpful to have a realistic interoperability expectation
for labeled systems. Defining label formats and security
On Wednesday 09 December 2009 10:21:30 am David P. Quigley wrote:
> On Tue, 2009-12-08 at 19:57 -0800, Casey Schaufler wrote:
> [snip]
>
> > > The term "DOI" has been used in traditional MLS system for about two
> > > decades. In the MLS world, when systems use same DOI, it means they
> > > agree
Jarrett Lu wrote:
> Casey Schaufler wrote:
>> Jarrett Lu wrote:
>>
>>> Without rehashing the statements made in above discussion threads,
>>> it's probably helpful to have a realistic interoperability expectation
>>> for labeled systems. Defining label formats and security mechanisms in
>>> vario
On Tue, 2009-12-08 at 19:57 -0800, Casey Schaufler wrote:
[snip]
>
> >
> > The term "DOI" has been used in traditional MLS system for about two
> > decades. In the MLS world, when systems use same DOI, it means they
> > agree to the same label definition and MAC policy, and the systems are
> > mos
Jarrett Lu wrote:
>> Joy Latten wrote:
>> On Mon, 2009-12-07 at 15:02 -0600, Nicolas Williams wrote:
>>
>>> On Mon, Dec 07, 2009 at 10:10:15AM -0600, Joy Latten wrote:
>>>
> The proposed work item is, at first glance anyways, too SELinux-
> specific.
>
> Note that SMACK encode
Casey Schaufler wrote:
Jarrett Lu wrote:
Without rehashing the statements made in above discussion threads,
it's probably helpful to have a realistic interoperability expectation
for labeled systems. Defining label formats and security mechanisms in
various networking protocols is important.
Joy Latten wrote:
On Mon, 2009-12-07 at 15:02 -0600, Nicolas Williams wrote:
On Mon, Dec 07, 2009 at 10:10:15AM -0600, Joy Latten wrote:
The proposed work item is, at first glance anyways, too SELinux-
specific.
Note that SMACK encodes its labels as CIPSO labels, so a scheme that
uses CI
On Dec 7, 2009, at 5:26 PM, Paul Moore wrote:
> On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote:
>> Paul,
>>
>> From your comments it seems as though an IP option would be
>> preferable, as it is not IP-sec-specific, and it an be protected if
>> needed, in the IPSec context, e.g., via
On Monday 07 December 2009 11:59:51 pm Steven Bellovin wrote:
> On Dec 7, 2009, at 5:26 PM, Paul Moore wrote:
> > On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote:
> >> Paul,
> >>
> >> From your comments it seems as though an IP option would be
> >> preferable, as it is not IP-sec-specific
Paul Moore wrote:
> On Monday 07 December 2009 11:10:15 am Joy Latten wrote:
>
>> On Fri, 2009-12-04 at 12:46 -0600, Nicolas Williams wrote:
>>
>>> On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
>>>
The bigger point being missed by this thread, I think, is that it
On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote:
> > You could have PAD entries that set labels. We do that today in
> > OpenSolaris.
>
> I apologize, but I'm not familiar with OpenSolaris's IPsec - do you use the
> pad to assign labels when none are present (the fallback case) or do
On Monday 07 December 2009 07:41:21 pm Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote:
> > On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> > > On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > > Why spend the time and effort to deve
On Mon, 2009-12-07 at 18:41 -0600, Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote:
> > On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> > > On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > > Why spend the time and effort to develop
Nicolas Williams wrote:
On Mon, Dec 07, 2009 at 04:40:05PM -0500, Sean Turner wrote:
Nicolas Williams wrote:
...snip...
- A separate I-D for adding labeling information to certificates.
Are you suggesting that you'd label a certificate? I suspect what
you're talking about is including what la
On Mon, Dec 07, 2009 at 06:59:13PM -0500, Paul Moore wrote:
> On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> > On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > Why spend the time and effort to develop two specifications (not to
> > > mention the actual implementations
On Mon, 2009-12-07 at 16:37 -0500, Paul Moore wrote:
> On Monday 07 December 2009 11:10:15 am Joy Latten wrote:
> > On Fri, 2009-12-04 at 12:46 -0600, Nicolas Williams wrote:
> > > On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> > > > The bigger point being missed by this thread, I
On Monday 07 December 2009 06:20:31 pm Dan McDonald wrote:
> On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > > But this is not a reason to oppose labelled IPsec. It's a reason to
> > > want an extended IP packet labelling standard.
> >
> > Why spend the time and effort to develop t
On Mon, 2009-12-07 at 15:02 -0600, Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 10:10:15AM -0600, Joy Latten wrote:
> > > The proposed work item is, at first glance anyways, too SELinux-
> > > specific.
> > >
> > > Note that SMACK encodes its labels as CIPSO labels, so a scheme that
> > > use
On Mon, Dec 07, 2009 at 05:53:59PM -0500, Paul Moore wrote:
> > But this is not a reason to oppose labelled IPsec. It's a reason to
> > want an extended IP packet labelling standard.
>
> Why spend the time and effort to develop two specifications (not to mention
> the actual implementations) whe
On Monday 07 December 2009 04:51:10 pm Nicolas Williams wrote:
> On Mon, Dec 07, 2009 at 04:37:50PM -0500, Paul Moore wrote:
> > I've mentioned all of this before, but my main fundamental concern with
> > the proposed labeled IPsec spec is that not everyone who wants labeled
> > networking wants I
On Mon, Dec 07, 2009 at 04:40:05PM -0500, Sean Turner wrote:
> Nicolas Williams wrote:
> ...snip...
> > - A separate I-D for adding labeling information to certificates.
>
> Are you suggesting that you'd label a certificate? I suspect what
> you're talking about is including what labels a user/d
On Monday 07 December 2009 05:16:26 pm Stephen Kent wrote:
> Paul,
>
> From your comments it seems as though an IP option would be
> preferable, as it is not IP-sec-specific, and it an be protected if
> needed, in the IPSec context, e.g., via tunneling.
Exactly. Since the option would be immuta
On Mon, Dec 07, 2009 at 04:37:50PM -0500, Paul Moore wrote:
> At the SELinux Developer's Summit a few months ago there was a bit of a
> general discussion about DOIs and label representation between myself (Linux
> labeled networking), Dave Quigley (labeled NFS, added to CC) and Casey
> Schaufle
Paul,
From your comments it seems as though an IP option would be
preferable, as it is not IP-sec-specific, and it an be protected if
needed, in the IPSec context, e.g., via tunneling.
Steve
___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org
Nicolas Williams wrote:
...snip...
- A separate I-D for adding labeling information to certificates.
Are you suggesting that you'd label a certificate? I suspect what
you're talking about is including what labels a user/device supports and
the clearance attribute in the RFC 3281 update
(ht
On Monday 07 December 2009 11:10:15 am Joy Latten wrote:
> On Fri, 2009-12-04 at 12:46 -0600, Nicolas Williams wrote:
> > On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> > > The bigger point being missed by this thread, I think, is that it
> > > seems that any work in multi-level se
On Mon, Dec 07, 2009 at 10:10:15AM -0600, Joy Latten wrote:
> > The proposed work item is, at first glance anyways, too SELinux-
> > specific.
> >
> > Note that SMACK encodes its labels as CIPSO labels, so a scheme that
> > uses CIPSO can possibly be used in SMACK and non-SMACK environments, and
>
On Fri, 2009-12-04 at 13:39 -0500, Dan McDonald wrote:
> On Fri, Dec 04, 2009 at 12:09:50PM -0600, Joy Latten wrote:
>
>
>
> > I believe they are becoming more mainstream. For example, SELinux and
> > Simplified Mandatory Access Control (SMACK) in Linux Operating System
> > and Mandatory Integri
On Fri, 2009-12-04 at 12:46 -0600, Nicolas Williams wrote:
> On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> > The bigger point being missed by this thread, I think, is that it
> > seems that any work in multi-level security needs to deal with
> > successful interoperability. If i
On Fri, Dec 04, 2009 at 10:46:02PM +0200, Yaron Sheffer wrote:
> Please remember that it is up to the WG to define the work item. The
> I-D is just a possible starting point, so if there's strong interest
> in this area, you may wish to reach consensus on a charter item - and
> to convince the rest
Yaron
> -Original Message-
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Nicolas Williams
> Sent: Friday, December 04, 2009 20:46
> To: Dan McDonald
> Cc: ipsec@ietf.org; Joy Latten
> Subject: Re: [IPsec] Proposed work item: Labelled IPsec
On Fri, Dec 04, 2009 at 01:39:46PM -0500, Dan McDonald wrote:
> The bigger point being missed by this thread, I think, is that it
> seems that any work in multi-level security needs to deal with
> successful interoperability. If it doesn't, there's little point in
> documenting a single-platform s
On Fri, Dec 04, 2009 at 12:09:50PM -0600, Joy Latten wrote:
> I believe they are becoming more mainstream. For example, SELinux and
> Simplified Mandatory Access Control (SMACK) in Linux Operating System
> and Mandatory Integrity Control in Windows Vista.
You forgot OpenSolaris Trusted Extensio
On Sun, 2009-11-29 at 19:59 -0500, Stephen Kent wrote:
> I think that there has been insufficient discussion of whether those
> who wish to make use of IPsec to enforce mandatory access controls
> require the facilities described by the folks who have proposed this.
> At the WG meeting 2 weeks a
Yaron Sheffer wrote:
This work item proposes to extend IKEv2 (and IKEv1) so as to allow IPsec to be
used in environments that require Mandatory Access Control. It is envisioned
that this will be used by modern high-security operating systems, that go
beyond the currently supported Multilevel S
If this proposal is accepted, I commit to review it.
Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://www.linkedin.com/in/smoonen
From:
Yaron Sheffer
To:
"ipsec@ietf.org"
Date:
11/29/2009 12:26 PM
Subject:
[IPsec] Proposed work item: Labelled IPsec
Thi
I think that there has been insufficient discussion of whether those
who wish to make use of IPsec to enforce mandatory access controls
require the facilities described by the folks who have proposed this.
At the WG meeting 2 weeks ago I made two observations:
- possible use of CIPSO for c
47 matches
Mail list logo
