-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Sommerfeld wrote: > On Fri, 2008-10-03 at 06:58 -0700, Joe Touch wrote: > >> There appears to be at least one change that might be required by all >> Internet hosts; current behavior upon receipt of an IP packet at a >> security level not supported is to send a TCP RST. This document >> indicates that such hosts MUST silently drop such packets. > > In a securely-configured MLS environment, systems not running an MLS > operating system will never receive a packet with an MLS label -- if > they did, that inherently means that an MLS system somewhere is > misconfigured and information is flowing in violation of the MLS policy. > > It is IMHO not necessary to specify what a label-unaware system should > do with a labeled packet -- if they get one at all, it's a serious error > on the part of the sender. Serious errors occur all the time. The expected behavior of the MLS in interacting with a non-MLS endpoint should be explained *when* that happens. >>> 2) MLS operating systems have different requirements: >>> In turn, this specification *only* applies to Multi-Level >>> Secure (MLS) operating systems that choose to implement >>> this particular IPv6 labelling specification. The draft >>> is very clear about this. >> The draft does not appear to indicate how an MLS system would interact >> with legacy systems that are not updated. > > are you asking about labeled or unlabeled interoperability? Both, since you brought it up, but I was originally thinking of unlabeled. > the MLS systems I'm familiar with are configured with policy indicating > the clearances of other hosts. That policy can indicate whether or not > packets to the other system should contain an explicit MLS label. > > non-MLS systems will typically never see a label. Agreed, but (as above), this still needs to be explicit in this doc IMO. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjmNnwACgkQE5f5cImnZrvxMwCdGlmhiMSi3r3bPo0B6abiIl3X gKsAoORmH5FjuWI8MwC7L4G9hhGdoHFj =bx1E -----END PGP SIGNATURE----- _______________________________________________ saag mailing list saag at ietf.org https://www.ietf.org/mailman/listinfo/saag
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.