From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: Joy Latten <latten@us.ibm.com>,
Venkat Yekkirala <vyekkirala@TrustedCS.com>
Subject: Problems with Labeled IPsec, IKE and ECN
Date: Mon, 19 Nov 2007 15:17:34 -0500 [thread overview]
Message-ID: <200711191517.34487.paul.moore@hp.com> (raw)
Hello All,
Bill Sommerfeld, a Sun engineer looking into implementing Labeled IPsec, ran
across a problem with Linux's Labeled IPsec implementation[1]. The problem
is that the IKE/IPsec attribute used to pass the SELinux context is also used
as part of the Explicit Congestion Notification (ECN) specification[2][3].
The ipsec-tools package currently defines the SELinux context attribute value
as "10" in src/racoon/ipsec_doi.h (taken from v0.7):
#ifdef HAVE_SECCTX
#define IPSECDOI_ATTR_SECCTX 10 /* V */
#endif
However, in RFC 3168 section 9.2.1.1 the ECN attribute value is also defined
as "10":
A new IPsec Security Association Attribute is defined to enable the
support for ECN congestion notifications based on the outer IP header
to be negotiated for IPsec tunnels (see [RFC2407]). This attribute
is OPTIONAL, although implementations that support it SHOULD also
support the SAD field defined in Section 9.2.1.1.
Attribute Type
class value type
-------------------------------------------------
ECN Tunnel 10 Basic
The IPsec SA Attribute value 10 has been allocated by IANA to
indicate that the ECN Tunnel SA Attribute is being negotiated; the
type of this attribute is Basic (see Section 4.5 of [RFC2407]). The
Class Values are used to conduct the negotiation. See [RFC2407,
RFC2408, RFC2409] for further information including encoding formats
and requirements for negotiating this SA attribute.
Needless to say this is a problem and we need to move away from using the
IKE/IPsec attribute value of "10" as soon as possible. Further, simply
picking a new number is not a good solution, we should really petition IANA
to get an attribute number assigned for this purpose. However, doing so will
most likely require documenting the Linux Labeled IPsec design and submitting
it to the IETF as a draft specification for approval[4]. If this is not
possible we will need to start investigating alternatives as "poaching"
existing standards is not a viable, maintainable solution.
[1] http://blogs.sun.com/sommerfeld/entry/poaching_codepoints
[2] http://www.ietf.org/rfc/rfc3168.txt
[3] http://www.iana.org/assignments/isakmp-registry
[4] http://www.ietf.org/rfc/rfc2860.txt
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2007-11-19 20:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-19 20:17 Paul Moore [this message]
2007-11-20 20:32 ` Problems with Labeled IPsec, IKE and ECN James Morris
2007-11-20 22:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711191517.34487.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=latten@us.ibm.com \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.