[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 16 19:04:09 UTC 2005
On Fri, 2005-09-16 at 14:41 -0400, Roe, William H. wrote:
> Can a controlled interface, dual-homed host, make a determination to
> drop packets based upon the SPI and subsequent label if it is located
> between two networks that are communicating via IPSEC?
As Paul noted, the short answer is no.
The question is whether that is really what you want/need, since the
same ability to perform packet filtering based on label via an
intermediate host/router makes life easier for a would-be attacker.
Ideally, you should just perform such packet filtering on the IPSEC
endpoints themselves, where the label information is available in the
SA. If that isn't feasible, you could construct a userspace
infrastructure that allows your intermediate router/host to find out the
label for a given SPI from a given IPSEC endpoint, naturally after
authenticating the identity of that intermediate router/host and
verifying its authorization to obtain such information.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list