-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Sommerfeld wrote: > On Fri, 2008-10-03 at 06:58 -0700, Joe Touch wrote: ... >> I consider it very incomplete with regard to the impact of the changes >> proposed on the architecture of MLS endpoints. > > I have a modest amount of MLS implementation experience. I believe the > spec is complete enough to publish in its current form. If you follow the implications of " With respect to a given network, each distinct Sensitivity Label represents a separate virtual network which shares the same physical network.", and the way it impacts TCP, can you explain how the current draft indicates how to similarly virtualize any of the following? - - ICMP handling - - forwarding - - routing - - IPv6 neighbor discovery - - IGMP - - PIM - - IPsec - - IPIP tunnels - - firewalls All of these things use IP addresses as unique identifiers, and all are affected by extending that space to use the pair [address, security level] instead. Even if these changes are limited to MLS endpoints, they either need to be addressed, or the discussion of how MLS extends the endpoint needs to be revised to avoid the idea that this virtualizes the network. If the virtualization is limited to certain transport protocol connections, then that should be stated explicitly (and only). Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjmOnkACgkQE5f5cImnZrtDCwCfeNIU0U2uZ+6Hz/vPmAqoNpn3 RyMAn2izgUKglo5++oCC0fBTVLYhFZjN =A+Eo -----END PGP SIGNATURE----- _______________________________________________ saag mailing list saag at ietf.org https://www.ietf.org/mailman/listinfo/saag
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.