[Labeled-nfs] Labeled RPC & NFS

Casey Schaufler casey at schaufler-ca.com
Mon Jan 14 17:24:00 EST 2008 

--- James Morris <jmorris at namei.org> wrote:

> On Mon, 14 Jan 2008, Casey Schaufler wrote:
> 
> > > That's not going to work for general purpose MAC, where people don't have
> 
> > > physically secure networks, in-line encryptors, extensive security 
> > > training, static, well-documented system configurations or the resources 
> > > to administer such systems.
> > 
> > I didn't say it would work, I said it does work. It has been deployed
> > many times. Your assertion is demonstrably false.
> 
> I'm talking about general purpose in the true sense, as in, enabled by 
> default in a general purpose OS and in use by hundreds of thousands of 
> ordinary users.  Which is already the case today.
> 
> These users will need the option to protect MAC labels using commonly 
> available mechanisms such as IPsec and Kerberos, and possibly PKU2U at 
> some point soon.
> 
> What I'm saying won't work is forcing people down a specific path which 
> limits their choice of authentication schemes, especially in the case of 
> GSSAPI, which is where the IETF and implementors have been focusing a 
> great deal of effort.
> 
> > > It pretty much needs to "just work".  Enabling MAC on NFS should not mean
> 
> > > having to change authentication schemes, especially to something 
> > > potentially less secure.
> > 
> > Yes. Any authentication scheme, including "none", that works for
> > systems without MAC needs to work with systems with MAC. It is,
> > however, a separate problem.
> 
> No, that is exactly the problem.  AUTH_SECLABEL will preclude the use of 
> GSS.

Ah, well, you're right. That would be bad.

> > If you say "MAC requires at least authentication level 3" you are going 
> > to blow any chance of general purpose MAC in the marketplace.
> 
> I'm not saying that.  I'm saying that general purpose MAC for NFS needs to 
> accommodate users who want GSS.
> 
> Hope that clarifies.

It does. Thank you. Some days I can be real thick headed.


Casey Schaufler
casey at schaufler-ca.com

More information about the Labeled-nfs mailing list