Question about MAC labels and IP fragment handling

Robert Watson rwatson at FreeBSD.org
Sun Feb 3 02:55:58 GMT 2002 

For those interested, I've recently submitted updates to the TrustedBSD
MAC Perforce repository that address IP fragmentation in the following
way:

(1) As before, when an IP datagram is fragmented, the MAC policy framework
    is presented with the datagram mbuf and each fragment mbuf, so as to
    initialize the fragment mbuf labels.  As before, all label-based MAC
    policies simply copy the label from the datagram to each fragment.

(2) Several MAC hooks are introduced during the reassembly process:

    mac_mbuf_fragment_matches_mbuf_fragmentqueue() augments the matching
    process by which a newly received fragment is compared with existing
    reassembly queues.  Using this hook, MAC policies may prevent
    fragments that would otherwise be reassembled from being placed in the
    same queue, presumably based on their label.  For current label-based
    MAC policies, label equality is required for two fragments to be
    reassembled.  In theory, this might not always be the case: for
    example, TE might assign types based on the source interface, but
    permit fragments arriving on different interfaces to be reassembled
    into a single datagram.

    mac_create_mbuf_fragmentqueue_from_mbuf_fragment() permits MAC
    policies to label a newly created fragment queue based on the fragment
    that caused the queue to be instantiated.  Current label-based MAC
    policies simply copy the fragment label into the queue label.

    mac_update_mbuf_fragmentqueue_from_mbuf_fragment() permits MAC
    policies to update the fragment queue label based on new fragments
    accepted into the queue based on the above _matches_ API call.  This
    hook addresses the requirements for composing labels that might differ
    across fragments accepted.  For example, if TE accepts fragments with
    different labels for reassembly, it must compose those fragments
    labels into a single coherent (and policy-driven) datagram label.
    Using this hook, each fragment label is presented to the MAC policies
    for consideration.  Currently, no label-based MAC policies implement
    this hook, although TE may do in the future.

    mac_create_mbuf_datagram_from_mbuf_fragmentqueue() permits MAC
    policies to determine a final label for the reassembled datagram based
    on the fragment queue label.  Current label-based MAC policies simply
    copy the fragment queue label to the datagram label.

This would seem to permit the broadest and most flexible scope for label
handling in the MAC framework.  The current implementation seems
reasonable (label equality required to compose the fragments, resulting in
a single label that is simply copied to the final datagram).  If there is
a potential useful MAC policy arrangement that cannot be implemented using
the current hook set, feel free to speak up.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list