| Paul Moore | 8802f61 | 2006-08-03 16:45:49 -0700 | [diff] [blame] | 1 | NetLabel CIPSO/IPv4 Protocol Engine |
| 2 | ============================================================================== |
| 3 | Paul Moore, paul.moore@hp.com |
| 4 | |
| 5 | May 17, 2006 |
| 6 | |
| 7 | * Overview |
| 8 | |
| 9 | The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial IP |
| 10 | Security Option (CIPSO) draft from July 16, 1992. A copy of this draft can be |
| 11 | found in this directory, consult '00-INDEX' for the filename. While the IETF |
| 12 | draft never made it to an RFC standard it has become a de-facto standard for |
| 13 | labeled networking and is used in many trusted operating systems. |
| 14 | |
| 15 | * Outbound Packet Processing |
| 16 | |
| 17 | The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by |
| 18 | adding the CIPSO label to the socket. This causes all packets leaving the |
| 19 | system through the socket to have the CIPSO IP option applied. The socket's |
| 20 | CIPSO label can be changed at any point in time, however, it is recommended |
| 21 | that it is set upon the socket's creation. The LSM can set the socket's CIPSO |
| 22 | label by using the NetLabel security module API; if the NetLabel "domain" is |
| 23 | configured to use CIPSO for packet labeling then a CIPSO IP option will be |
| 24 | generated and attached to the socket. |
| 25 | |
| 26 | * Inbound Packet Processing |
| 27 | |
| 28 | The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the |
| 29 | IP layer without any special handling required by the LSM. However, in order |
| 30 | to decode and translate the CIPSO label on the packet the LSM must use the |
| 31 | NetLabel security module API to extract the security attributes of the packet. |
| 32 | This is typically done at the socket layer using the 'socket_sock_rcv_skb()' |
| 33 | LSM hook. |
| 34 | |
| 35 | * Label Translation |
| 36 | |
| 37 | The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security |
| 38 | attributes such as sensitivity level and category to values which are |
| 39 | appropriate for the host. These mappings are defined as part of a CIPSO |
| 40 | Domain Of Interpretation (DOI) definition and are configured through the |
| 41 | NetLabel user space communication layer. Each DOI definition can have a |
| 42 | different security attribute mapping table. |
| 43 | |
| 44 | * Label Translation Cache |
| 45 | |
| 46 | The NetLabel system provides a framework for caching security attribute |
| 47 | mappings from the network labels to the corresponding LSM identifiers. The |
| 48 | CIPSO/IPv4 protocol engine supports this caching mechanism. |