ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Secdir Review of draft-stjohns-sipso-05

2008-10-02 15:33:05
from [Sam Hartman] [Permanent Link] 
"Michael" == Michael StJohns <mstjohns(_at_)comcast(_dot_)net> writes:


    Michael> Hi Joe - A quick disclaimer - although I was complicit in
    Michael> allowing this draft to be resurrected from 1992, I have
    Michael> had very little to do with it on this cycle.


    Michael> At 02:18 PM 10/2/2008, Joe Touch wrote:

    >> First, I don't agree with this document's recommendation in
    >> section 7.3.1.
    >> 
    >> TCP's current definition of a connection is:
    >> 
    >> local IP address remote IP address local port remote port
    >> protocol (e.g., TCP)
    >> 
    >> I don't agree that treating each sensitivity level as a
    >> separate virtual network (Sec 3 of this ID) is the appropriate
    >> analogy. If that were the case, we'd need to redefine every
    >> Internet protocol to understand the pair [address, sensitivity
    >> level] as an identifier, and that is not realistic. Further, if
    >> we did need to do such an extension, there are other equally
    >> (or arguably more) worthy candidates, notably VPN-ID.
    Michael> A single level process at TOP SECRET does a passive open
    Michael> of the port (call it 666) and waits for connections.  A
    Michael> second single level process at SECRET also attempts to do
    Michael> a passive open to the same port - but gets blocked
    Michael> because the port resource is being held by the TOP SECRET
    Michael> process.  The SECRET process now has one bit of
    Michael> information about the TOP SECRET part of the host.  By
    Michael> grabbing and releasing port resources, the TS process can
    Michael> signal data to processes at lower security levels.

You're proposing a huge complexity increase for the TCP stack in order
to get this covert channel protection.  Now, I do understand the value
of covert channel avoidance in these environments.  However, I wonder
what other ways have been explored.  In particular, this draft focuses
on V6.  It's easy to create a new address on a V6 link.  Have people
looked at separating each virtual network interface onto its own
address?  I think you'd still need label options so that intermediate
systems could enforce mandatory access control, but this might allow
you to escape doing so much damage to the TCP implementation.


If using multiple addresses doesn't work, what other mechanisms have
people looked at?

Are there other ways to decrease the bandwith of the covert channel to
an acceptable level?

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Secdir Review of draft-stjohns-sipso-05, Sam Hartman
Next by Date:  Re: Secdir Review of draft-stjohns-sipso-05, David Borman
Previous by Thread:  Re: Secdir Review of draft-stjohns-sipso-05, Michael StJohns
Next by Thread:  Re: Secdir Review of draft-stjohns-sipso-05, Michael StJohns
Indexes:  [Date] [Thread] [Top] [All Lists]