Question about MAC labels and IP fragment handling
rwatson at FreeBSD.org
Sun Feb 3 02:55:58 GMT 2002
For those interested, I've recently submitted updates to the TrustedBSD
MAC Perforce repository that address IP fragmentation in the following
(1) As before, when an IP datagram is fragmented, the MAC policy framework
is presented with the datagram mbuf and each fragment mbuf, so as to
initialize the fragment mbuf labels. As before, all label-based MAC
policies simply copy the label from the datagram to each fragment.
(2) Several MAC hooks are introduced during the reassembly process:
mac_mbuf_fragment_matches_mbuf_fragmentqueue() augments the matching
process by which a newly received fragment is compared with existing
reassembly queues. Using this hook, MAC policies may prevent
fragments that would otherwise be reassembled from being placed in the
same queue, presumably based on their label. For current label-based
MAC policies, label equality is required for two fragments to be
reassembled. In theory, this might not always be the case: for
example, TE might assign types based on the source interface, but
permit fragments arriving on different interfaces to be reassembled
into a single datagram.
mac_create_mbuf_fragmentqueue_from_mbuf_fragment() permits MAC
policies to label a newly created fragment queue based on the fragment
that caused the queue to be instantiated. Current label-based MAC
policies simply copy the fragment label into the queue label.
mac_update_mbuf_fragmentqueue_from_mbuf_fragment() permits MAC
policies to update the fragment queue label based on new fragments
accepted into the queue based on the above _matches_ API call. This
hook addresses the requirements for composing labels that might differ
across fragments accepted. For example, if TE accepts fragments with
different labels for reassembly, it must compose those fragments
labels into a single coherent (and policy-driven) datagram label.
Using this hook, each fragment label is presented to the MAC policies
for consideration. Currently, no label-based MAC policies implement
this hook, although TE may do in the future.
mac_create_mbuf_datagram_from_mbuf_fragmentqueue() permits MAC
policies to determine a final label for the reassembled datagram based
on the fragment queue label. Current label-based MAC policies simply
copy the fragment queue label to the datagram label.
This would seem to permit the broadest and most flexible scope for label
handling in the MAC framework. The current implementation seems
reasonable (label equality required to compose the fragments, resulting in
a single label that is simply copied to the final datagram). If there is
a potential useful MAC policy arrangement that cannot be implemented using
the current hook set, feel free to speak up.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss