On Tue, 2008-05-13 at 19:54 -0700, Jarrett Lu wrote: > Section 2, Use Cases > Give that the major appeal of Labeled IPsec is to allow reduced "trust" > assumption on the network, I believe the default mode for labeled IPsec > should be "implicit-only". "CIPSO+IPsec" may be useful. It'd be nice > to get some comments from people who deploy trusted systems. But > whenever cleartext CIPSO label is in use, there is the assumption that > CIPSO label is not spoofed. With Labeled IPsec, we no longer blindly > trust on wire labels. But using CIPSO+IPsec in a wrong environment, > where CIPSO label can be hacked, could result in packet drop.
IPsec contains no mechanisms to prevent an attacker able to modify packets in flight from smashing packets in the way that will causes them to be dropped by the receiver -- and it's a feature, not a bug, that it detects when packets are manipulated by the network. Maybe I'm misunderstanding your concern. > But if inner packet has no confidentiality protection, > outer label should dominate inner label. I believe you should do this part > in phase 1 so that we don't produce a weaker system for this case. it's not clear to me where this check belongs -- key management user processes run in the global zone and are thus part of the TCB. > Section 4, s/labelled/labeled/g, for consistency through out the doc. fixed. > Section 5.1 PF_KEY > I like to see more discussion/description on how key management > chooses SADB_EXT_SENSITIVITY and SADB_X_EXT_OUTER_SENS > values. For example, is this done via config file, using label of a zone? > In future, we may introduce APIs to change label of a socket to a label > that's different from its owning zone's label. That's in section 5.5 > Section 5.3, Trusted Networking Packet Processing > I agree a separate privilege is appropriate. I believe NET_MAC_IMPLICIT > is a better name than NET_MAC_BYPASS as you are bypassing putting > an explicit label on the wire, not bypassing any part of MAC policy check. Good point. The spec now calls for NET_MAC_IMPLICIT and SO_MAC_IMPLICIT. > "Inbound traffic from multi-label hosts not bearing an explicit > sensitivity > label will be assigned the highest sensitivity label allowed for the > host in > the tn*db and processed accordingly." > > Perhaps I don't understand IKE negotiation well enough. Why is the label > of an incoming packet ambiguous? IKE runs before any IPsec SA's exist and thus uses non-IPsec-protected UDP (usually port 500 or 4500) to bootstrap the ESP and/or AH SA's needed to protect "real" traffic. > 5.4.3, nit: double word "be be labeled". Fixed.
