[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Paul Moore
paul.moore at hp.com
Thu Jun 22 18:10:12 UTC 2006
Eric W. Biederman wrote:
> Paul Moore <paul.moore at hp.com> writes:
>>Dave Hansen wrote:
>>>I was just talking to Serge about this on IRC a bit. I think network
>>>namespaces might do some of what you want.
>>>
>>>Note that this is coming from somebody (me) that has never written a
>>>line of networking code in his life. So, don't pay too much attention.
>>>Just brainstorming.
>>>
>>>One of the important things that they give you is the ability to have
>>>multiple stupid daemons listening on "*:80". Each daemon thinks they
>>>"own" that port. However, the network namespace patches make sure that
>>>such a daemon doesn't receive any packets not meant for an IP owned by
>>>that daemon.
>>>
>>>So, if you added network namespaces with a rewriting netfilter rule that
>>>would mangle destination addresses to match the IP address of a
>>>containerized daemon, I _think_ you might be able to get what you want.
>>>
>>>So,
>>>
>>>1. packet comes in for port 80
>>>2. packet is tagged by secmark
>>>3. packet matches netfilter rule, is redirected to a _specific_ IP
>>>4. packet reaches containerized daemon listening on port 80
>>>
>>
>>My only concern with something like this is that it would probably wreak
>>havoc with things that do checksums/HMACs/etc with the IP addresses. I
>>think we should try to avoid packet managling as much as possibile; it
>>tends to introduce more problems than it solves (NAT anyone?). However,
>>it may be that someone has already thought of that and found a way
>>around it?
>
> Ok. The way it looks to me is this:
>
> In the first network namespace connected to the outside world.
> We setup firewall rules to look at the security association (ipsec/ipauth)
> with the packet and depending forward that packet out different interfaces
> depending upon our security rules.
>
> Each of the different outgoing interfaces hooks to a different network
> namespace. With probably a different security level.
>
> The ip address is configured the same on the filter network namespace,
> and the destination network namespaces.
>
> The tricky bit is that the filter network namespace needs firewall rules
> in place so that the returning packets are not allowed to spoof each other.
Assuming the we require each network namespace to have a unique security
label we shouldn't have a problem with one namespace attacking another
as each packet will have a different security label.
> I think you can set that up with multiple machines today, or at least
> some variety of that. Sharing the ip address between different security
> levels sounds scary to me though. NAT inside the box between multiple network
> namespaces may be more security.
I really don't like the idea of requiring the use of NAT.
> The only truly sane way I can think to do this is to give each network namespace
> it's own ip address. Which is a lot less complicated therefore easier to secure.
> Then on your filter namespace all you have to do is put in rules that suppress
> attempts to spoof another network namespaces IP address. But that kind of thing
> is routine for routers.
If I am understanding you correctly this just sounds like adding IP
aliases to an interface, or just simply adding a new NIC, and assigning
each address to a network namespace. While it's easy to do and even
easier to secure I don't think it addresses the problem we are trying to
solve - port polyinstantiation - where you can have multiple
applications bound to the same IP/protocol/port with the only difference
being the application's security label.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list