Cc: Joshua Brindle <method@...>, Andrew Morton <akpm@...>, <casey@...>, <torvalds@...>, <linux-security-module@...>, <linux-kernel@...>, James Morris <jmorris@...>, Paul Moore <paul.moore@...>
On Sun, Sep 30, 2007 at 10:05:57PM +0200, Andi Kleen wrote:
The whole *point* is that the routers are interconnecting boxes inside
the cluster, and none of them connect to the outside world. It's no
different than a SCSI cable connecting to JBOD in a separate box, or a
Fiber Channel router connected to a SAN network connecting to a
storrage array. The SCSI or FC buses aren't encrypted either, and the
in the Fiber channel case we have a router --- yet people aren't
stressing out that we're not encrpying the traffic over the Storage
Area Network? Why? Because it's understood the network stays inside
the machine room. The same thing can true for Ethernet --- think
iSCSI, for example.
If you get past all of the guards, you can usually reboot in single
user mode, and get root anyway. If you have physical access to the
computer, you're generally doomed anyway, unless you are willing to
pay the cost of encrypting everything on every single disk platter.
(And yes, in the more paranoid environments, where it's too expensive
to have 7x24 armed guards, maybe that makes sense.)
The point of something like CIPSO is because you want to label the
packets so the otherside knows how they should be treated. We don't
encrypt unix permission bits on most on-disk filesystems, either. Yet
I haven't heard people saying that just because someone could break
into a machine room, disconnect the JBOD from the computer, hook up
the JBOD to their laptop, and futz with the Unix permission bits,
rehook up the JBOD and reboot, that Unix permission bits are useless,
and we should leave all files at mode 777 --- since clearly we're not
secure against someone who can break into the machine room.....
I *hope* that sounds absurd, right?
- Ted
-
