some things to discuss about MAC
Robert Watson
rwatson at FreeBSD.org
Sun Dec 30 16:22:43 GMT 2001
On Sat, 29 Dec 2001, Crist J . Clark wrote:
> On Sat, Dec 29, 2001 at 09:21:21AM -0500, Robert Watson wrote:
> [snip]
>
> > - IPsec transport mode might also be interesting, although I have not yet
> > thought about it much. My guess is that we'd assign labels based on the
> > SA, but since I think IP options are not covered by AH, we might not be
> > able to use CIPSO with it. Not sure yet, but it's worth exploring.
>
> IPv4 options are handled by AH. Heavily snipped portions of RFC2402:
>
> 3.3.3.1.1.2 Options
>
> For IPv4 (unlike IPv6), there is no mechanism for tagging options as
> mutable in transit. Hence the IPv4 options are explicitly listed in
> Appendix A and classified as immutable, mutable but predictable, or
> mutable. For IPv4, the entire option is viewed as a unit; so even
> though the type and length fields within most options are immutable
> in transit, if an option is classified as mutable, the entire option
> is zeroed for ICV computation purposes.
So it sounds like it would be inappropriate to add CIPSO labels to an
IPsec-protected packet on its way up the stack; as such, we'd have to use
the mbuf label rather than the packet label, and filter based on the mbuf
label not the packet label. Also, if we were to introduce relabeling
rules such as those I described in a previous e-mail, only mbuf labels
could be modified by the rules, not CIPSO labels.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list