On 3 Oct 2008, at 03:15, Lars Eggert wrote:
For those of you who haven't followed the discussion so far on the main IETF list, Section 7.3 of this draft proposes that TCP and SCTP connections are now uniquely identified by a five-tuple consisting of source and destination IP addresses and ports as well as the sensitivity label.
Hi, There appear to be several points of confusion within Lars' note. Please let me try to clarify what the draft actually says and doesn't say: 0) Background about MLS operating systems: I think a major point of confusion relates to multi-level secure (MLS) operating systems, which most IETF folks have never encountered and many have never even heard about. In an MLS operating system, the OS provides mandatory access controls that separate users and data according to a lattice. Users have "clearances", while data have "sensitivity labels". These labels primarily are two dimensional. One traditionally thinks of a vertical axis consisting (bottom to top) as: System Low, Unclassified, Secret, Most Secret, System High. One traditionally thinks of a horizontal axis consisting of various compartments (e.g. NATO, UK, RU). The OS ensures that users with lower clearances are not even aware of the existence of data outside their clearance. 1) No change is proposed to TCP in general: There is *no* proposal to change how TCP or SCTP connections are identified or implemented for any system that does NOT claim to implement this MLS label specification. 2) MLS operating systems have different requirements: In turn, this specification *only* applies to Multi-Level Secure (MLS) operating systems that choose to implement this particular IPv6 labelling specification. The draft is very clear about this. 3) The MLS-specific proposal is accepted by long-term members of the Transport community: Please see Dave Borman's note to the IETF discuss list from yesterday. Dave has about as much TCP experience as anyone. 4) Nothing new is being proposed for the transport layer: This shipped about 20 years ago. So we have about 20 years of operational experience that the description in this draft is correct for an MLS operating system. Circa 1992, MLS operating systems that implemented TCP in this way for IPv4 included at least: Digital Ultrix CMW IBM Trusted AIX SGI Trusted IRIX Sun CMW As of now, some of those folks have left the MLS OS business, but I believe existing MLS operating systems as of today that do this include at least: Trusted Linux (only if configured with an MLS policy) Sun Trusted Solaris I'm not as knowledgable about MULTICS as others here (e.g. Mike StJohns), but one imagines that MULTICS also had this approach within its TCP when MULTICS was deployed with an MLS policy enabled.
This is obviously a pretty significant architectural change that deserves discussion, especially since the deployment of this security label architecture is likely to be very limited.
5) This draft doesn't propose to change the transport architecture: The draft simply describes how existing MLS operating systems implement multi-level security requirements within the existing transport-layer architecture. This is the same implementation approach that it has been used for about 2 decades now. 6) This draft has has broad review from users who have MLS deployments and from implementers of MLS systems: The draft has existed for a couple of years now. Comments on the draft from MLS-knowledgeable users have been received from many places on several continents. Similarly, comments have been received from MLS-knowledgable implementers. Various changes have resulted from those comments and reviews. So within the MLS community there has already been significant review and consensus that this draft meets the needs for IPv6 deployments of MLS systems. Yours, Ran Atkinson rja at extremenetworks.com _______________________________________________ saag mailing list saag at ietf.org https://www.ietf.org/mailman/listinfo/saag
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.