$Id: selopt-overview.txt,v 1.6 2002/02/11 15:08:27 jmorris Exp $

Overview of SELinux Labeled Networking Support via CIPSO/FIPS-188
IP Options (selopt)

Version 0.08

INTRODUCTION

The selopt package consists of a kernel patch and userspace
components which implement labeled IPv4 networking for SELinux.

This document provides a brief overview of the selopt labeling model
and associated components.

A working knowledge of the Flask security model and SELinux implementation
are assumed.  Refer to the documentation at http://www.nsa.gov/selinux/
for more information on these topics.

For installation instructions, see the INSTALL file.


MECHANISMS

Selopt provides mechanisms for:

  o Labeling IPv4 packets with local Security IDs (SIDs);
  o Specifying which packets require labeling;
  o Decoding labels from peers;
  o Mapping remote network SIDs to local SIDs.

These mechanisms allow the Flask security model of SELinux to be
extended to IPv4 networking.


SECURITY PERIMETERS

Under Selopt, a security perimeter is defined as a group of trusted peers
which are managed under equivalent security policies.  Security policies
are equivalent if users, roles, types and MLS attributes are the same,
and mean the same thing on each system.

Security perimeters are managed using the 'pt' utility.

Selopt does not currently support labeled communication between different
security perimeters.


LABELING

For peers within a security perimeter, IPv4 traffic is labeled via IP
options.  All traffic between peers within the perimeter must be labeled,
while unlabeled traffic may pass across the security perimeter, depending on
policy configuration.

Each packet is labeled with a policy serial number and a source SID.  Once
the extended socket API is implemented, packets may also be labeled with a
destination SID, indicating that the specified destination of the packet
must be enforced.  For non-stream protocols, the extended socket API will
also allow packets to be labeled with per-message SIDs.

The IP options used to label packets are based on the FIPS-188 standard
and the CIPSO draft.  The FIPS-188 "free form" tag is used to encode
the policy serial and SID values.  Certain packets must bypass the labeling
mechanisms (e.g. SCMP or ISAKMP) for implicit labeling, and a bypass label
is available for this purpose.  The format and handling of the Selopt IP
options are discussed in [2].


NETWORK SID MAPPING

As SIDs only have local significance, remote SIDs specified in packet
labels are mapped using a simple UDP protocol called the Security Context
Mapping Protocol (SCMP) [1].  This protocol allows a peer to request a
security context for a given SID and security policy serial number.  The
remote security context is then translated to a local SID and stored in a
network SID (NSID) mapping cache.

This mapping works because of security policy equivalence.  A security
context on one peer has the same meaning as a security context on another
peer within the same security perimeter.

SCMP mapping is performed by a userspace daemon called scmpd, which
communicates with the kernel via Netlink.


DEFERRED PROCESSING

When a labeled packet is received for which there is no current NSID mapping,
it is queued while an SCMP map request message is sent the originator.  Once
an SCMP map response is received and processed, the queued packet is marked 
with equivalent local SID(s) and dequeued.

The packet queue may be managed from userspace with the 'qt' utility.
Information about the state of the packet queue may be found via 'qt dump',
while 'qt flush' flushes the queue.  The maximum length of the queue can
be set via the sysctl net.ipv4.selopt_queue_max, the default is 1024.

This deferred processing appears to work well, although it has only been tested
on a LAN so far.


PROTECTION

Selopt does not provide any traffic protection, and is itself useless without
it.  However, the decision was made to separate labeling from protection to
allow more flexibility in system composition.

A protection layer must minimally provide the following services for all
labeled traffic: confidentiality, data origin authentication, connectionless
integrity and anti-replay measures.

It is expected that labeled traffic will be protected by IPsec in most cases.


SECURITY POLICY

The Selopt labeling mechanisms are independent of Flask policy.

Once a security perimeter is defined, any traffic within the perimeter
is labeled.  Selopt decodes the labels but does not interpret them in
terms of security policy.

New access vectors and Flask security policies need to be implemented
to integrate labeling with policy.

A more general networking policy system may also be required, which
encapsulates labeling and protection policies, and allows them to be
integrated with flask policy.


NSID API

The NSID API is a set of hooks in the SELinux code which allow IP options
based labeling systems to be implemented.  Selopt is one implementation
if such a system.

It is not known if this API would also be useful for a markedly different
kind of labeling system, such as the custom IPsec-based implementation
of an earlier Flask prototype.


USERSPACE COMPONENTS

In addition to the userspace applications already mentioned (scmpd, pt and
qt), an NSID cache management tool (ct), and a Netlink monitoring utility
(flmon) are provided.

AUTHOR

James Morris <jmorris@intercode.com.au>

URL

http://www.intercode.com.au/jmorris/selopt/


REFERENCES

[1] Security Context Mapping Protocol, Version 1, Draft 01.
    (scmp-draft.txt)
    
[2] Selopt IP Options Labeling, Version 1, Draft 01.
    (selinux-options.txt)
