Do anybody here tried to use ipsec for labeled networking? (fwd)
Stephen Smalley
sds at tislabs.com
Thu Feb 21 16:01:00 GMT 2002
On Wed, 20 Feb 2002, Ilmar S. Habibulin wrote:
> I'm trying to implement ipsec label support and have some questions, which
> i want to discuss. Some of them are for ex. how should i treat label
> specified with ah algorithm in SA - is it packet label or packet mush
> match this label and then IP header with CIPSO-coded label will be
> protected with this SA? and so on.
In DTOS and Flask (predecessors of SELinux), we used IPSEC to implicitly
label packets based on the SA. So for an outgoing packet, we would look
up an SA that not only matched the source and destination but also matched
the security label of the outgoing packet and use that SA. For an
incoming packet, we would look up the SA based on the SPI and use the
label from the SA as the packet label. We didn't use CIPSO at all in
those systems. See Ajay's master's thesis at
http://www.cs.utah.edu/flux/flask.
If you are trying to use IPSEC in combination with CIPSO for labeling,
perhaps there should be generic label (e.g. a range) associated with the
SA, and a particular label (e.g. a particular level) specified via CIPSO.
You could then perform a validity check between the SA label and the CIPSO
label.
--
Stephen D. Smalley, NAI Labs
ssmalley at nai.com
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list