Commit | Line | Data |
---|---|---|
593733ab | 1 | =================================== |
8802f616 | 2 | NetLabel CIPSO/IPv4 Protocol Engine |
593733ab MCC |
3 | =================================== |
4 | ||
8802f616 PM |
5 | Paul Moore, paul.moore@hp.com |
6 | ||
7 | May 17, 2006 | |
8 | ||
593733ab MCC |
9 | Overview |
10 | ======== | |
8802f616 | 11 | |
a7ddcea5 HA |
12 | The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial |
13 | IP Security Option (CIPSO) draft from July 16, 1992. A copy of this | |
14 | draft can be found in this directory | |
15 | (draft-ietf-cipso-ipsecurity-01.txt). While the IETF draft never made | |
16 | it to an RFC standard it has become a de-facto standard for labeled | |
17 | networking and is used in many trusted operating systems. | |
8802f616 | 18 | |
593733ab MCC |
19 | Outbound Packet Processing |
20 | ========================== | |
8802f616 PM |
21 | |
22 | The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by | |
23 | adding the CIPSO label to the socket. This causes all packets leaving the | |
24 | system through the socket to have the CIPSO IP option applied. The socket's | |
25 | CIPSO label can be changed at any point in time, however, it is recommended | |
26 | that it is set upon the socket's creation. The LSM can set the socket's CIPSO | |
27 | label by using the NetLabel security module API; if the NetLabel "domain" is | |
28 | configured to use CIPSO for packet labeling then a CIPSO IP option will be | |
29 | generated and attached to the socket. | |
30 | ||
593733ab MCC |
31 | Inbound Packet Processing |
32 | ========================= | |
8802f616 PM |
33 | |
34 | The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the | |
35 | IP layer without any special handling required by the LSM. However, in order | |
36 | to decode and translate the CIPSO label on the packet the LSM must use the | |
37 | NetLabel security module API to extract the security attributes of the packet. | |
38 | This is typically done at the socket layer using the 'socket_sock_rcv_skb()' | |
39 | LSM hook. | |
40 | ||
593733ab MCC |
41 | Label Translation |
42 | ================= | |
8802f616 PM |
43 | |
44 | The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security | |
45 | attributes such as sensitivity level and category to values which are | |
46 | appropriate for the host. These mappings are defined as part of a CIPSO | |
47 | Domain Of Interpretation (DOI) definition and are configured through the | |
48 | NetLabel user space communication layer. Each DOI definition can have a | |
49 | different security attribute mapping table. | |
50 | ||
593733ab MCC |
51 | Label Translation Cache |
52 | ======================= | |
8802f616 PM |
53 | |
54 | The NetLabel system provides a framework for caching security attribute | |
55 | mappings from the network labels to the corresponding LSM identifiers. The | |
56 | CIPSO/IPv4 protocol engine supports this caching mechanism. |