[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels

Roe, William H. William.Roe at gd-ais.com
Fri Sep 16 18:41:04 UTC 2005 

Stephen,

Can a controlled interface, dual-homed host, make a determination to
drop packets based upon the SPI and subsequent label if it is located
between two networks that are communicating via IPSEC?  

Bill

William Roe, CISSP, M.S. IA
General Dynamics AIS
Intelligence Mission Solutions
Technical Engineering Matrix Manager
Sr. Lead Software Engineer
410/859-2076 office
443/220-8910 blackberry
william.roe at gd-ais.com
 
 

Confidentiality Note:  This e-mail is intended only for the person or
entity to which it is addressed, and may contain information that is
privileged, confidential, or otherwise protected from disclosure.
Dissemination, distribution, or copying of this e-mail or the
information herein by anyone other than the intended recipient is
prohibited.  If you have received this e-mail in error, please notify
the sender by reply e-mail, phone, or fax, and destroy the original
message and all copies.  Thank you.


-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Friday, September 16, 2005 2:24 PM
To: Roe, William H.
Cc: Paul Moore; redhat-lspp at redhat.com
Subject: RE: [redhat-lspp] [PATCH] lsm-secpeer for IPSec labels

On Fri, 2005-09-16 at 13:49 -0400, Roe, William H. wrote:
> It is very likely that the current IPSEC networking scheme may NOT be 
> accreditable above DCID 6/3 PL3.  The issue is confirmation of the 
> origin of the system connecting.  It has to be differentiated at the 
> packet level othewise you limit the extensibility of the network to 
> only those known to be at the same classification level, though you 
> may allow different compartments via encryption segregation.
> 
> DCID 6/3 Label1 and Label2 REQUIRE the explicit electronic labeling of

> media.  Label1 and Label2 are required for deployment of PL4 systems.
> Implict or inference labeling are only allowed at PL3 and below.  That

> bascially means that everyone on the network HAS to have the SAME 
> security clearance, but do not have to have the same need to know 
> which is a PL3 not PL4 network.

With the IPSEC-based labeling, each packet still has a SPI that
references a SA that contains the actual security label.  Hence, each
packet is "labeled", just not in a form that is directly interpretable
by an intermediate network component without further information.  This
can actually be an advantage, as the "labels" i.e. the SPIs do not give
away meaningful information to any arbitrary reader of the network
traffic.  Does that address your concern?

Disclaimer:  I'm not a certifier/accreditor.

--
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list