RE: Support for IPSOs

• Previous message: Lachlan McIlroy: "RE: Support for IPSOs"
• In reply to: Lachlan McIlroy: "RE: Support for IPSOs"
• Next in thread: James Morris: "RE: Support for IPSOs"
• Next in thread: James Morris: "Re: Support for IPSOs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 09 Aug 2001, Lachlan McIlroy wrote:
>> -----Original Message-----
>> From: linux-security-module-adminat_private
>> [mailto:linux-security-module-adminat_private]On Behalf Of 
>> David Wagner
>> Sent: Thursday, August 09, 2001 2:27 PM
>> To: linux-security-moduleat_private
>> Subject: Re: Support for IPSOs
>> 
>> 
>> Lachlan McIlroy wrote:
>> >The attached patch adds a hook for decoding IP security
>> >options that we will need for CIPSO support.  Currently,
>> >Linux drops packets with security options which isn't
>> >very helpful.
>> 
>> Interesting.  Note that this patch changes the existing Linux security
>> policy: If there is no LSM installed, it now accepts packets with the
>> CIPSO option.  I don't see any reason why this should be problematic,
>> but I'm not familiar enough with why Linux currently drops 
>> these packets:
>> Does accepting CIPSO packets introduce any new security risks?
>None that I can see, maybe I can preserve the original
>behaviour when there is no LSM installed.

It really depends on the point of view - from the network side it
suddenly appears to be a sink for labeled packets. The sender may
believe that the target SHOULD recieve the packets.

On the recievers side, the response packets won't be labled, and the
sender SHOULD drop the connection.

The only advantage I see in dropping the packets entirely is that the
sender will recognize that there is no target for labeled packets.

If the reciever does handle the packets, and sender just accepts the
response, then labeled data will be losing the label. This would happen
if the reciever were acting as a router.

In some circles this would be considered A Bad Thing, and prefer to
not use the host that accepts the packets.

It's not a hard rule though.
 
>> (We'd probably like to preserve the argument that our hooks aren't
>> likely to add any new security holes to Linux that weren't 
>> already there,
>> and so I'd just like to understand better about why this 
>> change is ok.)

-- 
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: jesse@cats-chateau.net

Any opinions expressed are solely my own.

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: Possible system call interface for LSM"
• Previous message: Lachlan McIlroy: "RE: Support for IPSOs"
• In reply to: Lachlan McIlroy: "RE: Support for IPSOs"
• Next in thread: James Morris: "RE: Support for IPSOs"
• Next in thread: James Morris: "Re: Support for IPSOs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 03:26:29 PDT