Draft 01                                                        James Morris
                                                           February 10, 2002


                    Selopt IP Options Labeling, Version 1
                    

Table of Contents

  1.  Introduction
  2.  Option Type
  3.  Domain of Interpretation
  4.  Security Tags
    4.1  Security Label Parameters
      4.1.1  Parameter Types
  5.  Handling
    5.1  ICMP Reporting
    5.2  ICMP Labeling
  6. References


1. Introduction

  This document describes the Selopt [1] implementation of CIPSO [2] and
  FIPS-188 [3] IP options labeling.
  
  Selopt labeling is based on the now defunct CIPSO draft, and uses the
  FIPS-188 Free Form tag for encoding IP datagrams with SELinux-specific
  security labels.
  

2. Option Type

  All labeled traffic under Selopt utilizes the CIPSO (type 134) IP
  option.
  

3. Domain of Interpretation

  The CIPSO Domain of Interpretation (DOI) field, or Security Tag Set
  Name under FIPS-188, is set to hexadecimal 10001000 for all datagrams
  labeled under Version 1 of Selopt.  This DOI value was selected
  arbitrarily, as there is currently no relevant regulatory activity in
  this area.
  

4. Security Tags

  Each Selopt option contains one variable-length Free Form security tag.
  
  Under Selopt, the tag is constructed as follows:
  
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  !       Type    !     Length    !                               !
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
  !                                                               !
  ~                      Security Label Parameters                ~
  !                                                               !
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  
    Type: 8 bits.
    
      Free Form tag type, set to the value 7.
    
    Length: 8 bits.
    
      Total length of tag in octets, ranging from 10 to 32 inclusive.
    
    Security Label Parameters: variable.
    
      See section 4.1.
      
    
4.1 Security Label Parameters
   
  Each Security Label Parameter is of the form:
  
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  !       Type    !     Length    !                               !
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
  !                                                               !
  ~                             Value                             ~
  !                                                               !
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  
    Type: 8 bits.
    
      Type of Security Label Parameter, must be one of the
      parameter types described in section 4.1.1
      
    Length: 8 bits.
    
      Total length of parameter in octets.
    
    Value: variable.
    
      Per section 4.1.1.


4.1.1 Parameter Types

  Note that the length values described here are inclusive of the Type
  and Length fields of the Security Label Parameter.
  
  +------+--------+-----------+----------------------------------------+
  | Type | Length | Name      | Description                            |
  +------+--------+-----------+----------------------------------------+
  |  1   |   2    | Bypass    | Implicitly labeled (e.g. SCMP packet). |
  +------+--------+-----------+----------------------------------------+
  |  2   |   6    | Serial    | 32-bit policy serial number.           |
  +------+--------+-----------+----------------------------------------+
  |  3   |   6    | SSID      | 32-bit source SID.                     |
  +------+--------+-----------+----------------------------------------+
  |  4   |   6    | MSID      | 32-bit message SID.                    |
  +------+--------+-----------+----------------------------------------+
  |  5   |   6    | DSID      | 32-bit destination SID.                |
  +------+--------+-----------+----------------------------------------+


  A Selopt security tag must contain either:
  
    a) The Bypass parameter only; or
    
    b) Serial and SSID parameters, and optionally MSID and DSID parameters.
    

5. Handling

  Handling of IP options under Selopt follows the CIPSO draft unless
  otherwise indicated.


5.1 ICMP Reporting

  [tbd]

  
5.2 ICMP Labeling

  [tbd]


6. References

[1] Overview of SELinux Labeled Networking Support via CIPSO/FIPS-188
    IP Options, selopt-overview.txt.
    
[2] IETF CIPSO Working Group, Commercial IP Security Option (CIPSO 2.2),
    July 1992 (expired draft).

[3] Federal Information Processing Standards Publication 188, Standard
    Security Label for Information Transfer, September 1994.
    
