| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 1 | =================================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 2 | NetLabel CIPSO/IPv4 Protocol Engine |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 3 | =================================== |
| 4 | |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 5 | Paul Moore, paul.moore@hp.com |
| 6 | |
| 7 | May 17, 2006 |
| 8 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 9 | Overview |
| 10 | ======== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 11 | |
| Henrik Austad | a7ddcea | 2018-09-04 00:15:23 +0200 | [diff] [blame] | 12 | The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial |
| 13 | IP Security Option (CIPSO) draft from July 16, 1992. A copy of this |
| 14 | draft can be found in this directory |
| 15 | (draft-ietf-cipso-ipsecurity-01.txt). While the IETF draft never made |
| 16 | it to an RFC standard it has become a de-facto standard for labeled |
| 17 | networking and is used in many trusted operating systems. |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 18 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 19 | Outbound Packet Processing |
| 20 | ========================== |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 21 | |
| 22 | The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by |
| 23 | adding the CIPSO label to the socket. This causes all packets leaving the |
| 24 | system through the socket to have the CIPSO IP option applied. The socket's |
| 25 | CIPSO label can be changed at any point in time, however, it is recommended |
| 26 | that it is set upon the socket's creation. The LSM can set the socket's CIPSO |
| 27 | label by using the NetLabel security module API; if the NetLabel "domain" is |
| 28 | configured to use CIPSO for packet labeling then a CIPSO IP option will be |
| 29 | generated and attached to the socket. |
| 30 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 31 | Inbound Packet Processing |
| 32 | ========================= |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 33 | |
| 34 | The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the |
| 35 | IP layer without any special handling required by the LSM. However, in order |
| 36 | to decode and translate the CIPSO label on the packet the LSM must use the |
| 37 | NetLabel security module API to extract the security attributes of the packet. |
| 38 | This is typically done at the socket layer using the 'socket_sock_rcv_skb()' |
| 39 | LSM hook. |
| 40 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 41 | Label Translation |
| 42 | ================= |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 43 | |
| 44 | The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security |
| 45 | attributes such as sensitivity level and category to values which are |
| 46 | appropriate for the host. These mappings are defined as part of a CIPSO |
| 47 | Domain Of Interpretation (DOI) definition and are configured through the |
| 48 | NetLabel user space communication layer. Each DOI definition can have a |
| 49 | different security attribute mapping table. |
| 50 | |
| Mauro Carvalho Chehab | 593733ab | 2019-06-12 14:52:52 -0300 | [diff] [blame] | 51 | Label Translation Cache |
| 52 | ======================= |
| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 53 | |
| 54 | The NetLabel system provides a framework for caching security attribute |
| 55 | mappings from the network labels to the corresponding LSM identifiers. The |
| 56 | CIPSO/IPv4 protocol engine supports this caching mechanism. |