Implementing CIPSO -- domains of interpretation, etc
Ilmar S. Habibulin
ilmar at watson.org
Fri Jun 20 07:45:56 GMT 2003
On Thu, 19 Jun 2003, Robert Watson wrote:
> Over the past few months, we've seen a lot of interest in a CIPSO
> implementation for TrustedBSD. Right now, labels are maintained
CIPSO is hard to implement because there is no strict standard or
instruction how to do it. ;-) IPSec MLS and Biba supoport is much more
easy to implement. Maybe this could be a starting point for network label
externalization? There is strict instructions on IPSec control messages,
which can hold labels of any size. If you are using CIPSO for MLS label
transfer, you will be able to transfer max 238(?) bits of compartments,
and what should you do if you have 1000 of them in use?
PS. It is just a thought to think on. I'm not a good programmer, so my
cipso code was ugly. ipsec seemed to me more easier to hack. And it
provides more features, one can use more compartments bits. But it can be
use only for MLS and Biba policies.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list