[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels

Paul Moore paul.moore at hp.com
Fri Sep 16 18:55:41 UTC 2005 

Roe, William H. wrote:
> Stephen,
> 
> Can a controlled interface, dual-homed host, make a determination to
> drop packets based upon the SPI and subsequent label if it is located
> between two networks that are communicating via IPSEC?  
> 
> Bill

Only the two IPsec endpoints are aware of the significance of the 
packets SPI, otherwise it is just a random looking number.  Without some 
extra yet-to-be-created infrastructure it would be impossibile for a 
third party host/router to make packet filtering decisions using the 
IPsec labeling approach.

> William Roe, CISSP, M.S. IA
> General Dynamics AIS
> Intelligence Mission Solutions
> Technical Engineering Matrix Manager
> Sr. Lead Software Engineer
> 410/859-2076 office
> 443/220-8910 blackberry
> william.roe at gd-ais.com
>  
>  
> 
> Confidentiality Note:  This e-mail is intended only for the person or
> entity to which it is addressed, and may contain information that is
> privileged, confidential, or otherwise protected from disclosure.
> Dissemination, distribution, or copying of this e-mail or the
> information herein by anyone other than the intended recipient is
> prohibited.  If you have received this e-mail in error, please notify
> the sender by reply e-mail, phone, or fax, and destroy the original
> message and all copies.  Thank you.
> 
> 
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
> Sent: Friday, September 16, 2005 2:24 PM
> To: Roe, William H.
> Cc: Paul Moore; redhat-lspp at redhat.com
> Subject: RE: [redhat-lspp] [PATCH] lsm-secpeer for IPSec labels
> 
> On Fri, 2005-09-16 at 13:49 -0400, Roe, William H. wrote:
> 
>>It is very likely that the current IPSEC networking scheme may NOT be 
>>accreditable above DCID 6/3 PL3.  The issue is confirmation of the 
>>origin of the system connecting.  It has to be differentiated at the 
>>packet level othewise you limit the extensibility of the network to 
>>only those known to be at the same classification level, though you 
>>may allow different compartments via encryption segregation.
>>
>>DCID 6/3 Label1 and Label2 REQUIRE the explicit electronic labeling of
> 
> 
>>media.  Label1 and Label2 are required for deployment of PL4 systems.
>>Implict or inference labeling are only allowed at PL3 and below.  That
> 
> 
>>bascially means that everyone on the network HAS to have the SAME 
>>security clearance, but do not have to have the same need to know 
>>which is a PL3 not PL4 network.
> 
> 
> With the IPSEC-based labeling, each packet still has a SPI that
> references a SA that contains the actual security label.  Hence, each
> packet is "labeled", just not in a form that is directly interpretable
> by an intermediate network component without further information.  This
> can actually be an advantage, as the "labels" i.e. the SPIs do not give
> away meaningful information to any arbitrary reader of the network
> traffic.  Does that address your concern?
> 
> Disclaimer:  I'm not a certifier/accreditor.
> 
> --
> Stephen Smalley
> National Security Agency
> 
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp


-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

More information about the redhat-lspp mailing list