[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocols at the Point of a Gun



Scott Brickner writes:
> 
> Steve Reid writes:
> >Really, the apropriate place for content filtering is at the application 
> >layer. It *could* be done at the transport layer, but that's really not 
> >the place for it.
> 
> Izzat so?  So explain to me what the difference between the PICS type
> ratings and security classifications is.

> Clearly the IETF believed that the network layer was an appropriate
> place for general classification when they developed IPv4.  I haven't
> verified it, but I suspect that IPv6 has (or will have) an appropriate
> mechanism for indicating security classification.

That's not at all clear.  The IETF did not sit down in committee and
"develop IPv4" (thank god).  And I've not seen any evidence that it was
designed with support for security labels in mind.

Personally, I agree with Steve that, even though IP *may* be used to
propagate security options, it isn't the "right" place.

One problem with labeling things at the transport level is that this
requires support for the labels throughout the operating system(s) on
which the "content" is generated (at least for a "real" multi-user system
with a potentially mixed adult/child user base) or through which it flows.
The operating system has to carry labels around in conjunction with each
and every process and file on the system in order that the low-level
software will be able to accurately label IP datagrams.  And this OS
support is both difficult to implement and onerous to the users and
applications running on that platform -- otherwise, we'd all be running
on TCSEC B-level operating systems right now.

Fundamentally, the decision boils down to whether you want the labeling
to be mandatory (as with DoD security labels) or voluntary as with PICS.


-- Jeff