On 04/01/09 09:46, Paul Moore wrote: > On Wednesday 01 April 2009 03:46:58 am Jarrett Lu wrote: > > [ ... ] > > >> The challenge of interpreting and translating labels is that one system >> needs to know a lot of info about its peer. And there is no good way to >> describe the (sometimes subtle) difference. I think this problem may be >> harder on DTE systems than on MLS systems, I believe. >> > > I'm not sure we will ever be able to arrive at a solution that requires a > system to be able to understand the security policy/labels of another; things > change to much and I don't think anyone's crystal ball is that good. > Personally I think the best we can do is hope for a solution that allows a > system to understand a security policy/label system defined by a pre-existing > DOI definition. If we can do that then we can at least allow two different > systems to communicate via an agreed upon DOI regardless of their internal > security policies/labels. I'll admit it isn't perfect, but I think the > problem space is much smaller and likely to have less churn over time. > This comes back to semantics of DOI. So far, I heard two slightly different versions: (1) DOI is a key to a set of label parsing functions. Knowing the DOI value implies the parser on the system knows how to parse the octet string in opaque field. It says nothing about whether a peer's label can be correctly interpreted. I believe Daivd's draft uses this definition. (2) In addition to being able to parse the opaque field, DOI also implies communicating systems have consistent label policy and encoding. Systems with inconsistent policies are not supposed to use same DOI. This definition is closer to the CALIPSO DOI, and is how MLS systems use DOI today. While (1) is easier to specify on the wire, I am not clear on what it takes to use it safely even when OOB methods are used. Since this definition doesn't say who should use this DOI and who is not supposed to, what happens when a node, which has not consented to the agreement over the OOB method, uses the same DOI and octet string format but with inconsistent label policy? (2) has an easier usage model, IMO. But it's harder to define a "pre-existing" DOI., e.g. define DOI X to mean vendor ABC, OS version 1.0, label policy 2.0, label parser version 3.0, etc., and store that in some kind of registry. I think Nico's "URL during authentication" idea is interesting. >>> Ultimately I believe that the required label translation information >>> (wire/DOI label to internal and the other way around) is going to need to >>> be bundled with the system's security policy and distributed as a single >>> "package". Granted this does require prior knowledge of the DOIs in use >>> but I believe this is a much easier requirement than the opposite. From >>> a practical point of view this isn't too far removed from the notion of >>> sending sending label encoding data upon joining the network, the big >>> difference is that we are sending both security policy and label >>> encoding/DOI-translation data at the same time (in the TSOL case I >>> suspect this would just be the label encoding data, which may mean the >>> original poster had this in mind). >>> >> Depending how different the systems are, the "package" content will be >> different. >> > > Yep, that is the point; squares hole need square pegs, round holes need round > pegs. > > >> Assuming we can assemble all the information required to do >> label translation correctly into a package, passing that around the >> systems seem inefficient, non-scalable ... >> > > Honestly I don't see it as being that far removed from many of the current > solutions that ship "security policy" to individual systems through the > network/enterprise. Also look at some of the NAC stuff that is being used > these days, how is a security policy/translation "package" all that different > from an anti-virus update or a set of os/application patches? > > It is a solvable problem, or at least one that users have shown a willingness > to tolerate. > I was thinking how to do that within a protocol enhancement. > >> ... and probably outside the scope of labeled NFSv4 enhancement. >> > > Perhaps. Keep in mind I'm trying to think a bit more generically; if that > isn't the goal I'll be happy to go back to my corner and sit quietly :) > > >> So realistically, I think the DOI + opaque label is useful between very >> compatible systems. >> > > Of course. I agree there are a lot of things you can do with a DOI + opaque > label, especially if you are only concerned about end-to-end security issues > which I believe is the case for labeled NFS. > > >> Given that limitation, may be the "package" is small enough and can be >> passed in RPC layer during authentication so that MLS can share files with >> like MLS systems, and same is true for DTE, fmac, smack, .... >> > > Well, I think all that the opaque label buys you is the ability to limit who > you share the security policy/translation "package" with, as those systems > that participate in the labeled communication (be it NFS, generic IP or some > other random service) still need to worry about label translation and security > policy differences if they want to enforce policy locally. > I am still trying to understand what is needed to make safe sharing possible. BTW, are you implying that it's always necessary to do one label translation, e.g. from on-the-wire format to a native label format? Jarrett