On thing that sticks out from the Introduction is this:
| However, some applications (e.g. distributed file systems),
| most often those not designed for use with Compartmented Mode
| Workstations or other Multi-Level Secure (MLS) computers,
| multiplex different transactions at different sensitivity levels
| and/or with different privileges over a single IP communications
| session (e.g. with the User Datagram Protocol).
So far so good, and certainly true. But then:
| In order to
| maintain data Sensitivity Labeling for such applications, in
| order to be able to implement routing and Mandatory Access
| Control decisions in routers and guards on a per-IP-packet basis,
| and for other reasons, there is a need to have a mechanism for
| explicitly labeling the sensitivity information for each IPv6
| packet.
So if I understand correctly then this document would have an
implementation of, say, NFSv4[0] over TCP[1] send TCP packets for the
same TCP connection with different labels, *and* ensure that each packet
contains parts of no more than one (exactly one) NFSv4 RPC.
Surely that would have an enormous impact on transport protocol
implementations!
And all so that middle boxes can make labelled routing decisions at
100Gbps wire speed. And these are not simple labels either.
And the middle boxes have to trust the end nodes to get the labelling
right.
Call me a skeptic. I don't see this flying.
In any case, wouldn't it be easier to just use IPsec with labelled SAs
(with no outer packet labelling) and let the middle boxes be label
agnostic? The end nodes still have to be trusted to get the labelling
right, but this way you free the middle boxes to do what they're good at
(routing) and use crypto to provide integrity and confidentiality
protection over any public networks.
And if you really must have outer packet labelling for middle boxes to
inspect, why not modify NFSv4 clients to use a TCP connection per-local
{user, label}? That'd certainly be a lot less troublesome than to
modify TCP to keep track of labels in a PCB's buffers/arrange to send
each sub-buffer in a separate packet or train of packets!
The changes proposed in this I-D are non-trivial, but there are clearly
far simpler alternatives.
Nico
[0] "e.g. distributed file systems"? NFSv4 qualifies.
[1] "multiplex different transactions... over a single IP communications
session (e.g. with the User Datagram Protocol)"? NFSv4 qualifies,
though the mandatory-to- implement transport for NFSv4 is TCP, not
UDP.
--
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf