Implementing CIPSO -- domains of interpretation, etc

[James Morris]

On Thu, 19 Jun 2003, Robert Watson wrote:

> (2) The RFC defining CIPSO isn't extraordinarily explicit about how to
>     construct CIPSO labels for common use.  CIPSO labels are subject to a
>     domain of interpretation; I believe most implementations map network
>     values to internal label values, since most implementations have more
>     expressive labeling facilities than can be represented in common CIPSO
>     use.

This seems to be a good general solution, and was used for the SELinux
labeled networking (currently defunct).  FIPS188 free form tags were used
to encode labels as 32-bit values.  See
http://www.intercode.com.au/jmorris/selopt/old/ for some code and
documentation.

>  Many systems appear to use a configured table (perhaps
>     mechanically maintained) to map externalized values (perhaps on a
>     per-source, per-interface, ... basis) to internalized values, and
>     likewise to determine how to represent outgoing label data to specific
>     interfaces or hosts.  How do most systems address this -- what tends
>     to work, what doesn't, and what is most useful, behavior-wise?

With Selopt, an out of band mapping protocol (SCMP) was implemented, which
allowed nodes to exchange information on how to interpret the external
labels.  The system worked ok on a LAN, although I'm not aware of any work 
being peformed to evaluate it for more general use.

As Ilmar pointed out, another way of approaching things is to use IPSec.
An earlier Flask project did this, see
http://www.cs.utah.edu/flux/papers/ajay-thesis-abs.html

One potential issue with this is that it makes IPSec even more complicated
than it already is.  The flipside of this is that labeling doesn't need to
hook as deeply into the core networking stack, which may be the lesser of
two evils.


- James
-- 
James Morris
<jmorris at intercode.com.au>



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message