[redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine

Joe Nall joe at nall.com
Mon Jun 26 23:14:12 UTC 2006 

On Jun 22, 2006, at 4:12 AM, David Miller wrote:

> From: paul.moore at hp.com
> Date: Wed, 21 Jun 2006 15:42:38 -0400
>
>> Add support for the Commercial IP Security Option (CIPSO) to the
>> IPv4 network stack.  CIPSO has become a de-facto standard for
>> trusted/labeled networking amongst existing Trusted Operating
>> Systems such as Trusted Solaris, HP-UX CMW, etc.  This
>> implementation is designed to be used with the NetLabel subsystem to
>> provide explicit packet labeling to LSM developers.
>
> The thing that concerns me most about CIPSO is that even once users
> migrate to a more SELINUX native approach from this CIPSO stuff, the
> CIPSO code, it's bloat, and it's maintainence burdon will remain.
>
> It's easy to put stuff it, it's impossible to take stuff out even
> once it's largely unused by even it's original target audience.
>
> And that's what I see happening here.
>
> This is why, to be perfectly honest with you, I'd much rather
> something like this stay out-of-tree and people are strongly
> encouraged to use the more native stuff under Linux.

We are looking to replace a number of 20-60 node CMW networks with  
lots of applications with an SELinux based network. Since mainstream  
support for multilevel X Windows appears a ways off,  we are looking  
to replace the servers first and use the current CMWs as fat clients.  
To make this work we need multilevel networking interoperability  
between the SELinux and CMW systems.

We have been testing Paul's CIPSO patch against our existing systems  
with good results.

For all of the EAL4 LSPP Linux evaluation work is being done by Red  
Hat/IBM/HP/atsec and others to be useful to integrators, there has to  
be basic (e.g. CIPSO) multilevel network interoperability with  
existing multilevel systems and good (e.g IPSec) multilevel  
networking between SELinux systems. Without that support, it will be  
like some early Microsoft evaluations (1,2) that were reported to  
have been done 'without a network card', a piece of paper describing  
the test of a brick.

joe

(1) http://support.novell.com/techcenter/articles/ana19970705.html  
(search for 'without')
(2) http://www.aaxnet.com/design/msanti.html (search for 'did not  
have a network card')

More information about the redhat-lspp mailing list