some things to discuss about MAC
Robert Watson
rwatson at FreeBSD.org
Fri Dec 28 14:19:53 GMT 2001
On Fri, 28 Dec 2001, Ilmar S. Habibulin wrote:
> First of all - if we have labels on interfaces, do we need additional
> firewall rulez for CIPSO packets? Making such firewall rulez available
> will bring more fine grade control over network information flow. So one
> can sent secret packets to any ip, and top secret to 1.1.1.1 ip only,
> for ex. Any thoughts, suggestions?
My temptation would be instead to process based on the mbuf MAC label, and
simply make sure CIPSO processing happened before the packets were fed
into ipfw. This would mean we could process packets not using CIPSO, and
avoid modifying packets without CIPSO (such as those popping out of an
IPsec tunnel with an assigned label) in order to allow them to be
processed. That doesn't mean we shouldn't also support filtering based on
CIPSO, but this route might be simpler.
Filtering based on IP using this type of filtering sounds relatively
straight forward -- however, things are slightly more complex for
filtering based on (say) UDP port number, because UDP errors are reported
out of band using ICMP, making them harder to match.
I'm actually running into an interesting problem involving TCP right now.
Currently, I don't polyinstantiate the port space, I just do access
control. When a TCP response is sent to a packet, and there's an
associated socket, the socket's label is used for the response packet.
However, when there's no socket, the original query's label is used. The
result is that if a port is accepting connections, but the socket is
labeled such that you are not permitted to talk to it, you get a
connection timed out. But if you try to connect to a port that is not
open (unless interface rules restrict it) you get the connection refused
RST. Not a huge problem but something to resolve at some point. The good
news is that access control on raw sockets, UDP sockets, and TCP sockets
all now appears to be working correctly (I fixed a few more bugs last
night), and interface-based access control works correctly. Right now,
I'm focussing a bit of time on getting a basic TE implementation working,
and then will move back to the network stack to integrate your CIPSO code,
and broaden support for access control on interfaces (support label ranges
not just equality tests for outgoing packets).
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list