[Labeled-nfs] Labeled RPC & NFS
James Morris
jmorris at namei.org
Mon Jan 14 17:10:16 EST 2008
On Mon, 14 Jan 2008, Casey Schaufler wrote:
> > That's not going to work for general purpose MAC, where people don't have
> > physically secure networks, in-line encryptors, extensive security
> > training, static, well-documented system configurations or the resources
> > to administer such systems.
>
> I didn't say it would work, I said it does work. It has been deployed
> many times. Your assertion is demonstrably false.
I'm talking about general purpose in the true sense, as in, enabled by
default in a general purpose OS and in use by hundreds of thousands of
ordinary users. Which is already the case today.
These users will need the option to protect MAC labels using commonly
available mechanisms such as IPsec and Kerberos, and possibly PKU2U at
some point soon.
What I'm saying won't work is forcing people down a specific path which
limits their choice of authentication schemes, especially in the case of
GSSAPI, which is where the IETF and implementors have been focusing a
great deal of effort.
> > It pretty much needs to "just work". Enabling MAC on NFS should not mean
> > having to change authentication schemes, especially to something
> > potentially less secure.
>
> Yes. Any authentication scheme, including "none", that works for
> systems without MAC needs to work with systems with MAC. It is,
> however, a separate problem.
No, that is exactly the problem. AUTH_SECLABEL will preclude the use of
GSS.
> If you say "MAC requires at least authentication level 3" you are going
> to blow any chance of general purpose MAC in the marketplace.
I'm not saying that. I'm saying that general purpose MAC for NFS needs to
accommodate users who want GSS.
Hope that clarifies.
- James
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list