Question about MAC labels and IP fragment handling
Robert Watson
rwatson at FreeBSD.org
Tue Jan 29 22:06:01 GMT 2002
When IP fragments are created as a result of exceeding the interface MTU
on transmission, the MAC code arranges for IP fragments to get appropriate
mbuf labels based on the label of the datagram being fragmented. For all
current MAC policies, this is simply a label copy operation, although
potentially it might be something else. This seems reasonable, and gets
the expected results on transmission (it's unlikely one fragment will be
rejected from transmission on an interface while others suceed, for
example).
An interesting question is raised when re-assembling fragments, however.
First, lets consider the basic mbuf labeling case. Fragments generally
have labels added to them as they come in the interface, or in the case of
loopback, they have the label appropriate for the socket that generated
the original datagram. Potentially however, there might be fragments
arriving off of different interfaces, and hence having different labels
based on the differing labels of the source interfaces. This suggests at
least two ways to handle this:
(1) Tweak the matching algorithm that identifies when fragments are from
the same datagram, and therefore decides they should be reassembled.
Right now, that matching algorithm is the stock IP algorithm, which
compares source/destination IPs, IP protocol field, and the IP ID
field. For MLS and Biba, generally, equality of label will be the
criteria for matching. For TE, you can imagine other behavior, where
individual interfaces had different labels (if_one_t, if_two_t), but
it was OK to reassemble fragments that arrived over the interfaces.
If an attacker on one interface (low integrity) was attempting to
spoof a packet from another interface, the datagram would be
reassembled independently of the datagram that was being spoofed.
(2) When a first fragment arrives, create a reassembly queue for it. When
additional fragments arrive, drop them if they cann't be assembled
into the same packet. This requires a check algorithm, which might be
the same as listed in (1). However, potentially an attacker on a low
integrity interface might interfere with actions on a high integrity
interface by flooding the fragment queue with potentially viable
fragments, which would then block legitimate packets that had
different labels.
Finally, this also raises the question of what the label on the datagram
should be. For Biba and MLS, I would expect all the labels to be equal
across the fragments, and the datagram label to match that of the
fragments. For TE, you could imagine wanting more flexible behavior, in
which case we need a policy hook to allow that new composed label to be
determined. A question here would be what labels that hook might need to
make the decision -- access to all the fragment labels at once? Access to
all the fragment labels as they come in, plus some storage to hold state?
Then we move onto the more complicated realm where there may be label
sources within the packet. For example, Ilmar's CIPSO support can bring
labels in IP options. First question: some IP options are scattered
across all of the fragments as fragmentation occurs (no-ops that maintain
alignment might be, for example, or source routing information). Others
are maintained only in the first fragment. Where to IPSO and CIPSO fit
into the picture? Would composition of those labels be required if
fragments carried their own IPSO/CIPSO labels? What about the (1) and (2)
above?
My current temptation is to do the following:
(1) Allow a policy hook to tweak the matching algorithm for fragments, and
use case (1) above.
(2) Based on the responses to this e-mail, either (a) use the mbuf label
from the first fragment as the label for the final datagram, or (b)
store a label in the IP fragment queue and allow the update of that
label as fragments come in. This provides access to the labels of all
the fragments on the way to the final datagram, so the results can be
composed.
(3) Assume that IPSO/CIPSO will apply only to the first fragment, and
ignore such labels on later fragments. (This could be wrong: perhaps
IPSO/CIPSO should be processed before fragment processing, and be used
to update the label on the mbuf subject to policy).
Suggestions welcome,
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list