Implementing CIPSO -- domains of interpretation, etc
Robert Watson
rwatson at FreeBSD.org
Fri Jun 20 03:19:48 GMT 2003
Over the past few months, we've seen a lot of interest in a CIPSO
implementation for TrustedBSD. Right now, labels are maintained
internally on in flight packets (mbufs), network interfaces, sockets, IP
fragment queues, etc, but are not externalized onto wire networks. In the
past, Ilmar Habibulin has implemented basic CIPSO support for earlier
TrustedBSD MLS implementations, but I'm looking at generalizing that
support so that various policies (MLS, TE using SEBSD, etc) can carry
label data over the network. The MAC Framework as found in the MAC
development tree currently has an entry point to offer CIPSO IP header
options to the MAC policies for interpretation (and permits MAC policies
to generate an ICMP error on rejecting a label, if they choose).
However, we don't have an entry point due to some requirements for
externalization that are a little hard to represent in the current stack
layout. For example, in our earlier designs, we wanted to determine
whether CIPSO was required for a packet based on the properties of the
outgoing network interfaces: i.e., some interfaces might operate as
single-level, but others might operate as multi-level with CIPSO
requirements and a domain of interpretation configured for the interfaces.
However, the IP header construction is performed (in most cases) before
the routing decision is made, so the interface is not available at the
most logical point to insert the header in the existing code, so that
disposition of the interface isn't available to determine if we want to
use CIPSO, and if so, how to generate the CIPSO header. In Ilmar's
earlier implementation, he generated CIPSO based on the socket sourcing
the packet, so much earlier in the packet building process. However, this
wouldn't permit the following desired behavior: if a packet sourced from
a single-level interface is to be routed over a multi-level interface, its
CIPSO label will reflect the label assigned from the single-level
interface on ingress.
I'm looking for two sorts of information to influence the approach we take
for CIPSO:
(1) Information on how other network stack implementations approach this
problem -- do they make CIPSO decisions based on the interface
identified for routing? If so, do the stacks not construct the header
chain until after the routing step is done, or do they reprocess the
packet to insert the header if CIPSO is required (picking up extra
memory copies, etc). If they don't use the interface for CIPSO
disposition on transmission, what do they use? The socket? The
route? Do implementations generally internalize the CIPSO label when
the packet comes in, discard the CIPSO data, and then re-insert it on
the outbound path, or do they keep it along the way only rewriting if
necessary?
(2) The RFC defining CIPSO isn't extraordinarily explicit about how to
construct CIPSO labels for common use. CIPSO labels are subject to a
domain of interpretation; I believe most implementations map network
values to internal label values, since most implementations have more
expressive labeling facilities than can be represented in common CIPSO
use. Many systems appear to use a configured table (perhaps
mechanically maintained) to map externalized values (perhaps on a
per-source, per-interface, ... basis) to internalized values, and
likewise to determine how to represent outgoing label data to specific
interfaces or hosts. How do most systems address this -- what tends
to work, what doesn't, and what is most useful, behavior-wise?
Finally, we've had some interest in trusted routing -- i.e., including the
label of a packet or its source in the decision making process for routing
the packet out another interface. Is this behavior we should be
providing and that is commonly used, or is it something we should defer?
We don't have to address it at the same time as CIPSO, but if we have our
fingers in the routing code anyway... :-)
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list