[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels
Paul Moore
paul.moore at hp.com
Fri Sep 16 18:55:41 UTC 2005
Roe, William H. wrote:
> Stephen,
>
> Can a controlled interface, dual-homed host, make a determination to
> drop packets based upon the SPI and subsequent label if it is located
> between two networks that are communicating via IPSEC?
>
> Bill
Only the two IPsec endpoints are aware of the significance of the
packets SPI, otherwise it is just a random looking number. Without some
extra yet-to-be-created infrastructure it would be impossibile for a
third party host/router to make packet filtering decisions using the
IPsec labeling approach.
> William Roe, CISSP, M.S. IA
> General Dynamics AIS
> Intelligence Mission Solutions
> Technical Engineering Matrix Manager
> Sr. Lead Software Engineer
> 410/859-2076 office
> 443/220-8910 blackberry
> william.roe at gd-ais.com
>
>
>
> Confidentiality Note: This e-mail is intended only for the person or
> entity to which it is addressed, and may contain information that is
> privileged, confidential, or otherwise protected from disclosure.
> Dissemination, distribution, or copying of this e-mail or the
> information herein by anyone other than the intended recipient is
> prohibited. If you have received this e-mail in error, please notify
> the sender by reply e-mail, phone, or fax, and destroy the original
> message and all copies. Thank you.
>
>
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
> Sent: Friday, September 16, 2005 2:24 PM
> To: Roe, William H.
> Cc: Paul Moore; redhat-lspp at redhat.com
> Subject: RE: [redhat-lspp] [PATCH] lsm-secpeer for IPSec labels
>
> On Fri, 2005-09-16 at 13:49 -0400, Roe, William H. wrote:
>
>>It is very likely that the current IPSEC networking scheme may NOT be
>>accreditable above DCID 6/3 PL3. The issue is confirmation of the
>>origin of the system connecting. It has to be differentiated at the
>>packet level othewise you limit the extensibility of the network to
>>only those known to be at the same classification level, though you
>>may allow different compartments via encryption segregation.
>>
>>DCID 6/3 Label1 and Label2 REQUIRE the explicit electronic labeling of
>
>
>>media. Label1 and Label2 are required for deployment of PL4 systems.
>>Implict or inference labeling are only allowed at PL3 and below. That
>
>
>>bascially means that everyone on the network HAS to have the SAME
>>security clearance, but do not have to have the same need to know
>>which is a PL3 not PL4 network.
>
>
> With the IPSEC-based labeling, each packet still has a SPI that
> references a SA that contains the actual security label. Hence, each
> packet is "labeled", just not in a form that is directly interpretable
> by an intermediate network component without further information. This
> can actually be an advantage, as the "labels" i.e. the SPIs do not give
> away meaningful information to any arbitrary reader of the network
> traffic. Does that address your concern?
>
> Disclaimer: I'm not a certifier/accreditor.
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com hewlett packard
. (603) 884-5056 linux security
More information about the redhat-lspp
mailing list