[Labeled-nfs] Labeled RPC & NFS
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 14 16:19:23 EST 2008
--- James Morris <jmorris at namei.org> wrote:
> On Mon, 14 Jan 2008, Casey Schaufler wrote:
>
> >
> > --- James Morris <jmorris at namei.org> wrote:
> >
> > > I gather the expectation is that AUTH_SECLABEL would be used in
> > > conjunction with IPSec or other machine-based security. I believe this
> > > can provide useful security if configured carefully, e.g. specify MAC
> > > policy on the client so that only trusted subjects have the ability to
> > > send traffic to the NFS port, to prevent forging of RPC messages (and
> thus
> > > MAC attributes); or even use labeled IPSec :-)
> >
> > I will point out that in the Unix world MAC systems have been using
> > labeled NFS without (and with) additional authentication schemes for
> > many years. You can slow yourselves down by adding a dependency on
> > orthoganal issues, I suggest to retain focus on the task at hand.
>
> That's not going to work for general purpose MAC, where people don't have
> physically secure networks, in-line encryptors, extensive security
> training, static, well-documented system configurations or the resources
> to administer such systems.
I didn't say it would work, I said it does work. It has been deployed
many times. Your assertion is demonstrably false.
> It pretty much needs to "just work". Enabling MAC on NFS should not mean
> having to change authentication schemes, especially to something
> potentially less secure.
Yes. Any authentication scheme, including "none", that works for
systems without MAC needs to work with systems with MAC. It is,
however, a separate problem. If you say "MAC requires at least
authentication level 3" you are going to blow any chance of general
purpose MAC in the marketplace. Really. I'm not making this up.
Security people.
Casey Schaufler
casey at schaufler-ca.com
More information about the Labeled-nfs
mailing list