[redhat-lspp] [RFC] A Proposal for CIPSO on Linux (again)

Chris Wright chrisw at osdl.org
Tue Oct 25 20:02:03 UTC 2005 

* Paul Moore (paul.moore at hp.com) wrote:
> Chris Wright wrote:
> Standard IPsec AH headers can provide header integrity since the CIPSO 
> IP option should be considered an immutable option.

I guess that's my point.  Using ipsec...so use ipsec ;-)

> As far as 
> fragmentation goes, please read my original proposal as I am thinking of 
> adding the CIPSO IP option to the socket and letting the normal network 
> stack processing label the packets (from what I can tell it should 
> handle fragments correctly, i.e. attach the option to each fragment). 

Yes, I saw that with post_create hook.  But didn't look too far to see
that the socket label copied to every fragment, since LSM post_create by
itself is not enough.  Nor did I see where you protect from setsockopt
to turn it off?  I think the whole idea is harder to show secure, than
using ipsec approach.  I also didn't see how you handle raw sockets.

> Regarding encapsulation, encapsulation within what?  Another IPv4 
> header?  An IPv6 header?

Either, really.  But I was thinking of GRE and IP-in-IP type.  Point is,
I think doing it right (meaning can't undermine the protection) is what
requires more invasive hooks.

> The point of attempting this again is because there are large customers 
> who are running multi-level networks using CIPSO and so far the feedback 
> we have received from them is that implicit packet labeling using 
> non-standard extensions to IKE/IPsec is not really an option.  Having 
> CIPSO as an option for a MLS Linux system means we can offer 
> users/customers a solution which they can plug into their existing networks.

This is the only compelling reasoning, but it's not technical, and I
think the technical issues outweigh here.  The problem is the performance
hit is felt too far and wide.  This is processing that has to happen on
every outbound and inbound packet.  Inbound is certainly helped since
we have security_sock_rcv_skb.

> Also, please keep in mind that my CIPSO proposal and Trent's IPsec 
> approach are not mutually exclusive.  Both can co-exist in a running kernel.

*nod*

thanks,
-chris

More information about the redhat-lspp mailing list