Mikel L. Matthews wrote: > Paul Moore wrote: >>James Morris wrote: >>>On Thu, 25 May 2006, Paul Moore wrote: >>> >>>>This patch introduces a new kernel feature designed to support labeled >>>>networking protocols such as RIPSO and CIPSO. These protocols are required >>>>to >>>>interoperate with existing "trusted" operating systems such as Trusted >>>>Solaris. >>> >>>A few initial comments. >>> >>>- Did you decide that you definitely need to verify labels on fragments? >>> >>>I can see the code's been added to do that, but wonder about a comment >>>made during earlier discussion that mislabeled fragments could only come >>>from a misbehaving trusted system. What is the threat model here? >>> >> >>This is one part of the patch that I really don't have a strong feeling >>for either way. There was some concern on the LSM list that not >>checking the fragment options might be an issue so I added some code to >>check the fragment options. Personally I think we are probably okay >>without it as the un-autenticated/un-verified nature of these labeling >>protocols more or less requires either a trusted network/hosts. >> >>If the community decides that this check is not required then I can >>simply drop all of the changes in ip_fragment.c. > > If you state you are labeling session packets (tcp or udp), that would > lead one to believe all packets are labeled (including fragments). Based > on our past evaluations I don't think non-labeled fragments would make > it through an evaluation if CIPSO/RIPSO were part of the TOE/security > Target. >
Outgoing fragment *should* be labeled correctly assuming the Linux base network stack does the right thing (I haven't tested this yet). The issue we are discussing here is what to do about incoming packets where the fragments are not consistently labeled. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
