[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes

[Serge E. Hallyn]

Quoting Paul Moore (paul.moore at hp.com):
> Assuming the we require each network namespace to have a unique security
> label we shouldn't have a problem with one namespace attacking another
> as each packet will have a different security label.
> 
> > I think you can set that up with multiple machines today, or at least
> > some variety of that.  Sharing the ip address between different security
> > levels sounds scary to me though.  NAT inside the box between multiple network
> > namespaces may be more security.
> 
> I really don't like the idea of requiring the use of NAT.
> 
> > The only truly sane way I can think to do this is to give each network namespace
> > it's own ip address.  Which is a lot less complicated therefore easier to secure.
> > Then on your filter namespace all you have to do is put in rules that suppress
> > attempts to spoof another network namespaces IP address.  But that kind of thing
> > is routine for routers.
> 
> If I am understanding you correctly this just sounds like adding IP
> aliases to an interface, or just simply adding a new NIC, and assigning
> each address to a network namespace.  While it's easy to do and even
> easier to secure I don't think it addresses the problem we are trying to
> solve - port polyinstantiation - where you can have multiple
> applications bound to the same IP/protocol/port with the only difference
> being the application's security label.

I'm really not the expert here, but nevertheless according to what I've
heard from at least the PlanetLab guys, we may not need to use nat -
having multiple containers with the same IP address may be possible.

Eric, Andrey, Daniel?

-serge