Re: [73attendees] Security Label BOF Location and Time
Jarrett Lu <Jarrett.Lu@sun.com> Tue, 18 November 2008 00:53 UTC
Return-Path: <73attendees-bounces@ietf.org>
X-Original-To: 73attendees-archive@ietf.org
Delivered-To: ietfarch-73attendees-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
by core3.amsl.com (Postfix) with ESMTP id 8A5CF3A6A93;
Mon, 17 Nov 2008 16:53:09 -0800 (PST)
X-Original-To: 73attendees@core3.amsl.com
Delivered-To: 73attendees@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
by core3.amsl.com (Postfix) with ESMTP id 102DD3A6A93;
Mon, 17 Nov 2008 16:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.446
X-Spam-Level:
X-Spam-Status: No, score=-5.446 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_66=0.6,
RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32])
by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HN0nBZCI9xSI; Mon, 17 Nov 2008 16:53:07 -0800 (PST)
Received: from sca-es-mail-2.sun.com (sca-es-mail-2.Sun.COM [192.18.43.133])
by core3.amsl.com (Postfix) with ESMTP id 35E6B3A6A92;
Mon, 17 Nov 2008 16:53:07 -0800 (PST)
Received: from fe-sfbay-10.sun.com ([192.18.43.129])
by sca-es-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id
mAI0gxAL012021; Mon, 17 Nov 2008 16:42:59 -0800 (PST)
Received: from conversion-daemon.fe-sfbay-10.sun.com by fe-sfbay-10.sun.com
(Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
id <0KAI002017BF2V00@fe-sfbay-10.sun.com>
(original mail from Jarrett.Lu@Sun.COM);
Mon, 17 Nov 2008 16:42:59 -0800 (PST)
Received: from [130.129.77.252] by fe-sfbay-10.sun.com
(Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
with ESMTPSA id <0KAI007Q07BMYXC0@fe-sfbay-10.sun.com>; Mon,
17 Nov 2008 16:42:59 -0800 (PST)
Date: Mon, 17 Nov 2008 16:42:58 -0800
From: Jarrett Lu <Jarrett.Lu@sun.com>
In-reply-to: <678210550811170912i67701d84o7751c4effec67a51@mail.gmail.com>
To: David Quigley <quigleystravels@gmail.com>
Message-id: <49220F92.4040905@sun.com>
MIME-version: 1.0
References: <678210550811170912i67701d84o7751c4effec67a51@mail.gmail.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20081023)
Cc: 73attendees@ietf.org, saag@ietf.org
Subject: Re: [73attendees] Security Label BOF Location and Time
X-BeenThere: 73attendees@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Discussion list for the attendees of IETF 73 meeting."
<73attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/73attendees>,
<mailto:73attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/73attendees>
List-Post: <mailto:73attendees@ietf.org>
List-Help: <mailto:73attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/73attendees>,
<mailto:73attendees-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: 73attendees-bounces@ietf.org
Errors-To: 73attendees-bounces@ietf.org
David Quigley wrote: > > Background: > > > > Originally the term Security Label consisted of MLS and Integrity > labels as they were used in the orange book. Since then there have > been other forms of mandatory access control(MAC) and some MAC systems > such as SELinux which implement several of the forms within the same > system(Domain Type Enforcement (DTE), RBAC and MLS). In traditional > MAC systems the policy is very rigid with the model being built into > the operating system. In more recent MAC systems (SELinux, Trusted > BSD, Solaris FMAC) the idea of flexibility of policy and mechanism > have made it such that even if two systems use the same MAC model they > may each possess completely different policies. Because of this the > idea of a Domain of Interpretation(DOI) has become more important. > Conceptually a DOI is a collection of systems where a label has a > consistant semantic meaning across all of those systems. Traditionally > MLS labels were represented as integers and bit fields so a DOI in > this context defined what bits corresponded to which categories and > what levels were present. In more recent systems labels are more > directly represented as strings. For example in a DTE system a label > may be httpd_content_t and two systems may possess this label but the > semantics of it may be different. > This is a significant departure from the DOI definition that I understood. As you mentioned above, using same DOI implies all systems agree to same label interpretation and hence enforce same label policies. I don't quite understand the rationale in wanting to change that definition to accommodate DTE MAC systems. Labels can be represented by strings or bitmaps (e.g. CIPSO). What's important is that systems interpret the labels the same way, and a DOI value is used to ensure that. If a label has different meanings on different systems, what do you need a DOI for? Just to be able interpret a well formed label? I'd think the ability to interpret a label is implicit. If one doesn't recognize a label based on label definition, the packet should be dropped. We can discuss this some more. This post is for people who are interested in the topic but can't attend the BOF. Jarrett _______________________________________________ 73attendees mailing list 73attendees@ietf.org https://www.ietf.org/mailman/listinfo/73attendees
- Re: [73attendees] Security Label BOF Location and… Jarrett Lu
- Re: [73attendees] Security Label BOF Location and… David Quigley