1*4882a593Smuzhiyun=================================== 2*4882a593SmuzhiyunNetLabel CIPSO/IPv4 Protocol Engine 3*4882a593Smuzhiyun=================================== 4*4882a593Smuzhiyun 5*4882a593SmuzhiyunPaul Moore, paul.moore@hp.com 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunMay 17, 2006 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunOverview 10*4882a593Smuzhiyun======== 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunThe NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial 13*4882a593SmuzhiyunIP Security Option (CIPSO) draft from July 16, 1992. A copy of this 14*4882a593Smuzhiyundraft can be found in this directory 15*4882a593Smuzhiyun(draft-ietf-cipso-ipsecurity-01.txt). While the IETF draft never made 16*4882a593Smuzhiyunit to an RFC standard it has become a de-facto standard for labeled 17*4882a593Smuzhiyunnetworking and is used in many trusted operating systems. 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunOutbound Packet Processing 20*4882a593Smuzhiyun========================== 21*4882a593Smuzhiyun 22*4882a593SmuzhiyunThe CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by 23*4882a593Smuzhiyunadding the CIPSO label to the socket. This causes all packets leaving the 24*4882a593Smuzhiyunsystem through the socket to have the CIPSO IP option applied. The socket's 25*4882a593SmuzhiyunCIPSO label can be changed at any point in time, however, it is recommended 26*4882a593Smuzhiyunthat it is set upon the socket's creation. The LSM can set the socket's CIPSO 27*4882a593Smuzhiyunlabel by using the NetLabel security module API; if the NetLabel "domain" is 28*4882a593Smuzhiyunconfigured to use CIPSO for packet labeling then a CIPSO IP option will be 29*4882a593Smuzhiyungenerated and attached to the socket. 30*4882a593Smuzhiyun 31*4882a593SmuzhiyunInbound Packet Processing 32*4882a593Smuzhiyun========================= 33*4882a593Smuzhiyun 34*4882a593SmuzhiyunThe CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the 35*4882a593SmuzhiyunIP layer without any special handling required by the LSM. However, in order 36*4882a593Smuzhiyunto decode and translate the CIPSO label on the packet the LSM must use the 37*4882a593SmuzhiyunNetLabel security module API to extract the security attributes of the packet. 38*4882a593SmuzhiyunThis is typically done at the socket layer using the 'socket_sock_rcv_skb()' 39*4882a593SmuzhiyunLSM hook. 40*4882a593Smuzhiyun 41*4882a593SmuzhiyunLabel Translation 42*4882a593Smuzhiyun================= 43*4882a593Smuzhiyun 44*4882a593SmuzhiyunThe CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security 45*4882a593Smuzhiyunattributes such as sensitivity level and category to values which are 46*4882a593Smuzhiyunappropriate for the host. These mappings are defined as part of a CIPSO 47*4882a593SmuzhiyunDomain Of Interpretation (DOI) definition and are configured through the 48*4882a593SmuzhiyunNetLabel user space communication layer. Each DOI definition can have a 49*4882a593Smuzhiyundifferent security attribute mapping table. 50*4882a593Smuzhiyun 51*4882a593SmuzhiyunLabel Translation Cache 52*4882a593Smuzhiyun======================= 53*4882a593Smuzhiyun 54*4882a593SmuzhiyunThe NetLabel system provides a framework for caching security attribute 55*4882a593Smuzhiyunmappings from the network labels to the corresponding LSM identifiers. The 56*4882a593SmuzhiyunCIPSO/IPv4 protocol engine supports this caching mechanism. 57