Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/netlabel/cipso_ipv4.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) ===================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) NetLabel CIPSO/IPv4 Protocol Engine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) ===================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) Paul Moore, paul.moore@hp.com
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) May 17, 2006
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) Overview
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) ========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) IP Security Option (CIPSO) draft from July 16, 1992.  A copy of this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) draft can be found in this directory
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) (draft-ietf-cipso-ipsecurity-01.txt).  While the IETF draft never made
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) it to an RFC standard it has become a de-facto standard for labeled
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) networking and is used in many trusted operating systems.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) Outbound Packet Processing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) ==========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) adding the CIPSO label to the socket.  This causes all packets leaving the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) system through the socket to have the CIPSO IP option applied.  The socket's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) CIPSO label can be changed at any point in time, however, it is recommended
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) that it is set upon the socket's creation.  The LSM can set the socket's CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) label by using the NetLabel security module API; if the NetLabel "domain" is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) configured to use CIPSO for packet labeling then a CIPSO IP option will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) generated and attached to the socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) Inbound Packet Processing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) =========================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) IP layer without any special handling required by the LSM.  However, in order
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) to decode and translate the CIPSO label on the packet the LSM must use the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) NetLabel security module API to extract the security attributes of the packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) This is typically done at the socket layer using the 'socket_sock_rcv_skb()'
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) LSM hook.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) Label Translation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) =================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) attributes such as sensitivity level and category to values which are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) appropriate for the host.  These mappings are defined as part of a CIPSO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) Domain Of Interpretation (DOI) definition and are configured through the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) NetLabel user space communication layer.  Each DOI definition can have a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) different security attribute mapping table.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) Label Translation Cache
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) =======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) The NetLabel system provides a framework for caching security attribute
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) mappings from the network labels to the corresponding LSM identifiers.  The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) CIPSO/IPv4 protocol engine supports this caching mechanism.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.