Re: [IPsec] WESP - Roadmap Ahead

Dan McDonald <danmcd@sun.com> Mon, 16 November 2009 16:53 UTC

Return-Path: <danmcd@sun.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 104F13A6AE2 for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 08:53:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Level:
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjRqhbVKuBMq for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 08:53:39 -0800 (PST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by core3.amsl.com (Postfix) with ESMTP id 11BD03A6AAA for <ipsec@ietf.org>; Mon, 16 Nov 2009 08:53:39 -0800 (PST)
Received: from dm-east-01.east.sun.com ([129.148.9.192]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nAGGrPDI028563; Mon, 16 Nov 2009 16:53:26 GMT
Received: from kebe.East.Sun.COM (kebe.East.Sun.COM [129.148.174.48]) by dm-east-01.east.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id nAGGrPBs008404; Mon, 16 Nov 2009 11:53:25 -0500 (EST)
Received: from kebe.East.Sun.COM (localhost [127.0.0.1]) by kebe.East.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nAGGqm2f002032; Mon, 16 Nov 2009 11:52:48 -0500 (EST)
Received: (from danmcd@localhost) by kebe.East.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nAGGqm3A002031; Mon, 16 Nov 2009 11:52:48 -0500 (EST)
X-Authentication-Warning: kebe.East.Sun.COM: danmcd set sender to danmcd@sun.com using -f
Date: Mon, 16 Nov 2009 11:52:48 -0500
From: Dan McDonald <danmcd@sun.com>
To: Stephen Kent <kent@bbn.com>
Message-ID: <20091116165248.GJ1232@kebe.East.Sun.COM>
References: <p06240800c720d4538dd2@133.93.112.234> <p0624080ac7212e67c860@133.93.16.246> <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com> <p0624080ec7213743dc05@133.93.16.246> <dc8fd0140911112030y46aa24f9hf3715d57446e96c0@mail.gmail.com> <51eafbcb0911112144u6e25b826w4ec8110d1f73e652@mail.gmail.com> <p06240805c72267851254@[133.93.16.246]> <p06240825c7229aead977@[133.93.16.246]> <B71940AB-C732-4240-98CB-75E8C6AAF815@cs.columbia.edu> <p06240800c723d673384e@[10.11.1.91]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p06240800c723d673384e@[10.11.1.91]>
Organization: Sun Microsystems, Inc. - Solaris Networking & Security
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Bhatia, Manav \(Manav\)" <manav.bhatia@alcatel-lucent.com>, Steven Bellovin <smb@cs.columbia.edu>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 16:53:40 -0000

On Mon, Nov 16, 2009 at 11:39:30AM -0500, Stephen Kent wrote:

<SNIP!>

> >Or put the labels in the SA, since especially for IPSO you probably
> >want cryptographic separation of different security levels.
> 
> There are various options here. I know of devices that have opted to
> use ESP in tunnel mode to ensure the binding, and that is what I
> noted during the IPSECME WG session. I may know of an instance or two
> where AH has been used to do this, because if introduced less
> (bandwidth) overhead than tunnel mode. Implementations that make use
> of IPSO or CIPSO should negotiate the labels as part of the SA. The
> label should be part of the SPD, and be checked based on SAD entry
> data cached form the SPD. (Can you tell that I've been through al of
> this?) We had a presentation by Joy (remotely) on adding label
> support, as a new work item, which would explore these issues in more
> detail, if we choose to adopt this as a new Wg item.

If the WG takes on labeling, please make sure we don't concentrate on just
one platform (SELinux).  Besides Joy's work, there's now also SA-implicit
labeling on another platform:

	http://hub.opensolaris.org/bin/view/Project+txipsec/

Once build 128 hits the servers, you can play with it!

FYI,
Dan