Commit | Line | Data |
---|---|---|
8802f616 PM |
1 | NetLabel CIPSO/IPv4 Protocol Engine |
2 | ============================================================================== | |
3 | Paul Moore, paul.moore@hp.com | |
4 | ||
5 | May 17, 2006 | |
6 | ||
7 | * Overview | |
8 | ||
9 | The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial IP | |
10 | Security Option (CIPSO) draft from July 16, 1992. A copy of this draft can be | |
11 | found in this directory, consult '00-INDEX' for the filename. While the IETF | |
12 | draft never made it to an RFC standard it has become a de-facto standard for | |
13 | labeled networking and is used in many trusted operating systems. | |
14 | ||
15 | * Outbound Packet Processing | |
16 | ||
17 | The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by | |
18 | adding the CIPSO label to the socket. This causes all packets leaving the | |
19 | system through the socket to have the CIPSO IP option applied. The socket's | |
20 | CIPSO label can be changed at any point in time, however, it is recommended | |
21 | that it is set upon the socket's creation. The LSM can set the socket's CIPSO | |
22 | label by using the NetLabel security module API; if the NetLabel "domain" is | |
23 | configured to use CIPSO for packet labeling then a CIPSO IP option will be | |
24 | generated and attached to the socket. | |
25 | ||
26 | * Inbound Packet Processing | |
27 | ||
28 | The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the | |
29 | IP layer without any special handling required by the LSM. However, in order | |
30 | to decode and translate the CIPSO label on the packet the LSM must use the | |
31 | NetLabel security module API to extract the security attributes of the packet. | |
32 | This is typically done at the socket layer using the 'socket_sock_rcv_skb()' | |
33 | LSM hook. | |
34 | ||
35 | * Label Translation | |
36 | ||
37 | The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security | |
38 | attributes such as sensitivity level and category to values which are | |
39 | appropriate for the host. These mappings are defined as part of a CIPSO | |
40 | Domain Of Interpretation (DOI) definition and are configured through the | |
41 | NetLabel user space communication layer. Each DOI definition can have a | |
42 | different security attribute mapping table. | |
43 | ||
44 | * Label Translation Cache | |
45 | ||
46 | The NetLabel system provides a framework for caching security attribute | |
47 | mappings from the network labels to the corresponding LSM identifiers. The | |
48 | CIPSO/IPv4 protocol engine supports this caching mechanism. |