i have packet labeling working prototype
Robert Watson
rwatson at FreeBSD.org
Tue Sep 25 16:55:29 GMT 2001
On Tue, 25 Sep 2001, Ilmar S. Habibulin wrote:
> TCP connections now are monitored and i can make access control
> desisions based on packet label. I used CISPO in IP header and mbuf
> labeling (in m_pkthdr), proposed by Robert. It's simple to reimplement
> it using IPSO(RIPSO), but IMHO IPSO(RIPSO) has limited abilities.
Great news. I'm in the process of updating the MAC code for post-KSE in
FreeBSD 5.0-CURRENT, and hope to have a MAC system up and running again
this afternoon. I've also poked a little at the network stack issues for
access control on out-going packets, and would be interested in knowing
what approach you were taking. In my most recent pass, I simply have
checks at the top of the physical layer abstraction (ether_output() and
others) to see whether the outgoing packet label in the mbuf is acceptable
according to the labels on the interface. I suspect I need a better
abstraction for the "label range", and will look at that in the next
couple of days. The concern, of course, is that "label range" assumes the
possibility of defining useful scopes of labels based on two endpoints,
which is true of Biba and MLS, but not of more general policies such as
TE.
I hope to post an updated patch within a day or two, and would like to get
your IPSO changes integrated. Given that we still lack a means for
trusted applications to manage the labeling on sockets (TSIX, presumably,
in the short term), we'll need to address that concern. Right now, all
labeling of packets in my implementation is implicit based on the
credential bound to the socket at creation time. This probably needs
substantial adjustment.
> Now i'm trying to implement something over UDP. The problem is - absence
> of any standards on UDP packets handling based on labels. So i have to
> develop own algorithm. Maybe someone can share some infoemation with me
> on that topic?
I had assumed it would continue to be present in UDP as an IP option, but
could be wrong. Another thing I'd like to look at is picking up labeling
from IPsec tunnel endpoint properties: where a virtual interface is used
for the tunnel endpoint, this should actually be pretty trivial, and might
already work now (modulo lack of admin tools for labels on interfaces).
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list