some things to discuss about MAC
Ilmar S. Habibulin
ilmar at watson.org
Thu Jan 3 15:19:58 GMT 2002
Well, as i understand, we have 4 cases (in general):
1. ordinary packet without label - is labeled with interfaces' label
2. CIPSO packet - is labeled with interface label, ther is relabeled with
CIPSO label
3. IPSec tunnel mode packet:
3a. without CIPSO - see case 1.
3b. with CIPSO - see case 2.
4. IPSec transport mode - is labeled with interface label, the is
relabeled with SA label.
But relabeling of packets(read mbufs) will take place only after firewall
rules were checked. (is tense correct here?)
So firewall rules maybe applied to default interface labels - that's what
i'm worrying about. And we have to teach firewall to understand packet
labels and use default(mbuf) labels only if the real label is absent.
But the what module should relabel mbuf - firewall check routines or
ip_dooptions? Maybe CIPSO code from ip_dooptions must be moved somewere at
the beggining of ip_input()?
And anyway we can't apply firewall rules to mode 4(ipsec transport). imho.
ipsec packet in transport mode can't contain any label, because it is
specified with SA.
PS. Another intersting question about NFS. Is there any thoughts on how to
transfer label between client and server in a compatible way with
non-trusted nfs clients/servers?
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list