[redhat-lspp] Re: [RFC 3/7] NetLabel: CIPSOv4 engine
Joe Nall
joe at nall.com
Mon Jun 26 23:14:12 UTC 2006
On Jun 22, 2006, at 4:12 AM, David Miller wrote:
> From: paul.moore at hp.com
> Date: Wed, 21 Jun 2006 15:42:38 -0400
>
>> Add support for the Commercial IP Security Option (CIPSO) to the
>> IPv4 network stack. CIPSO has become a de-facto standard for
>> trusted/labeled networking amongst existing Trusted Operating
>> Systems such as Trusted Solaris, HP-UX CMW, etc. This
>> implementation is designed to be used with the NetLabel subsystem to
>> provide explicit packet labeling to LSM developers.
>
> The thing that concerns me most about CIPSO is that even once users
> migrate to a more SELINUX native approach from this CIPSO stuff, the
> CIPSO code, it's bloat, and it's maintainence burdon will remain.
>
> It's easy to put stuff it, it's impossible to take stuff out even
> once it's largely unused by even it's original target audience.
>
> And that's what I see happening here.
>
> This is why, to be perfectly honest with you, I'd much rather
> something like this stay out-of-tree and people are strongly
> encouraged to use the more native stuff under Linux.
We are looking to replace a number of 20-60 node CMW networks with
lots of applications with an SELinux based network. Since mainstream
support for multilevel X Windows appears a ways off, we are looking
to replace the servers first and use the current CMWs as fat clients.
To make this work we need multilevel networking interoperability
between the SELinux and CMW systems.
We have been testing Paul's CIPSO patch against our existing systems
with good results.
For all of the EAL4 LSPP Linux evaluation work is being done by Red
Hat/IBM/HP/atsec and others to be useful to integrators, there has to
be basic (e.g. CIPSO) multilevel network interoperability with
existing multilevel systems and good (e.g IPSec) multilevel
networking between SELinux systems. Without that support, it will be
like some early Microsoft evaluations (1,2) that were reported to
have been done 'without a network card', a piece of paper describing
the test of a brick.
joe
(1) http://support.novell.com/techcenter/articles/ana19970705.html
(search for 'without')
(2) http://www.aaxnet.com/design/msanti.html (search for 'did not
have a network card')
More information about the redhat-lspp
mailing list