IETF Logo Mail Archive

Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)

Nicolas Williams <Nicolas.Williams@sun.com> Wed, 08 April 2009 23:26 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A4FF3A6BA1; Wed, 8 Apr 2009 16:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.813
X-Spam-Level:
X-Spam-Status: No, score=-5.813 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ApIz5S31+p9v; Wed, 8 Apr 2009 16:26:09 -0700 (PDT)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id 27AD03A6B6A; Wed, 8 Apr 2009 16:26:09 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n38NRGWB014227; Wed, 8 Apr 2009 23:27:16 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n38NRFgx062604; Wed, 8 Apr 2009 17:27:15 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n38Mlt8c006842; Wed, 8 Apr 2009 17:47:55 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n38Mlthh006841; Wed, 8 Apr 2009 17:47:55 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Wed, 08 Apr 2009 17:47:55 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jarrett Lu <Jarrett.Lu@sun.com>
Message-ID: <20090408224755.GV1500@Sun.COM>
References: <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE9@scygexch1.cygnacom.com> <20090406151606.GQ1500@Sun.COM> <20090406180424.BA7AC9A4749@odin.smetech.net> <49DAC29D.6030902@schaufler-ca.com> <20090407164420.GW1500@Sun.COM> <49DC13DA.10405@schaufler-ca.com> <20090408051745.GG1500@Sun.COM> <49DCCC94.80501@schaufler-ca.com> <20090408211209.GS1500@Sun.COM> <49DD2833.9060301@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <49DD2833.9060301@sun.com>
User-Agent: Mutt/1.5.7i
Cc: labeled-nfs@linux-nfs.org, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, nfsv4@ietf.org, saag@ietf.org, nfs-discuss@opensolaris.org, Casey Schaufler <casey@schaufler-ca.com>, Santosh Chokhani <SChokhani@cygnacom.com>
Subject: Re: [saag] [Labeled-nfs] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2009 23:26:10 -0000

On Wed, Apr 08, 2009 at 03:41:55PM -0700, Jarrett Lu wrote:
> It's not clear to me how much information is sufficient to guarantee a 
> subset of policy is consistent so that labeled communication is safe and 
> correct. One extreme is to require systems to be configured identically. 
> As I understand it, roles/types on DTE systems usually depend on what 
> kind of applications are run on the systems, and the types are defined 
> to constrains what the applications can do on a system. In other words, 
> policy on different systems are most likely different.

Right, but presumably applications using NFS can be made to have
identical sub-policies on all relevant NFS clients and servers.  If not
then why use NFS for such an application?  Of course, there's the matter
of home directories and random apps loaded on clients without server
knowledge, but if you're using labeled NFS then presumably you have an
infrastructure and site-/org-wide system administration that can ensure
orderly application deployment.

> >Jarret's point was that this is true even for MLS labels because a node
> >might not know what the meaning of a given sensitivity and compartment
> >are.  This is not a problem for CALIPSO because middle boxes need only
> >determine label dominance, but Jarret thinks that this is a problem for
> >NFS.
> >  
> 
> I believe this is a problem for MLS end systems (client and server), 
> even when CALIPSO is in use. If labels are defined differently on 
> different systems, e.g. same binary bit patten on two different systems 
> maps to different labels, label comparison is meaningless. The 
> underlying assumption is that if two systems use different label mapping 
> schemes, they should not be using the same DOI to communicate without 
> some sort of translation mechanism. The agreement of associating a DOI 
> with a particular label mapping is done outside of a protocol option 
> such as CIPSO (for IPv4) or CALIPSO (for IPv6). Just to be clear, 
> CALIPSO spec defines "on-the-wire" format of (MLS) sensitivity label 
> option for IPv6. It is not designed to communicate policy agreements 
> among systems.

Based on this I think I'm ready to conclude that for MLS we don't need
anything more than the DOI number/name to produce MLS policy agreement,
though a URI scheme for naming policies (including version) would have
better semantics.  DTE does not seem as simple, though assuming common
per-app sub-policies then it may be doable.

Nico
--

v2.23.0 | Report a Bug | By Email