TRUSTED_NETWORKING(7)TRUSTED_NETWORKING(7)NAMEtrusted_networking - Trusted IRIX network administration: basic concepts.
PURPOSE
The purpose of trusted networking is to properly associate security
attributes with data that is imported to or exported from the system, and
to enforce system security policy on that data.
POLICIES
In the current release of Trusted IRIX, the policies enforced by the
trusted networking code are as follows.
Transmitted packet labels must fall within the label range of the
destination host or network profile in the remote host database.
Received packet labels must fall within the label range of the
source host or network profile in the remote host database.
Delivered data must have a label equal to the label of the receiving
process. The uid of the delivered data must be permitted by the
socket ACL.
Trusted processes that have set the extended attributes mode do not
have delivery policy enforced, but must enforce appropriate policy
based on the attributes available through the TSIX API. Such
processes must have the CAP_NETWORK_MGT capability enabled.
TSIX
Trusted IRIX employs the Trusted Security Information Exchange (TSIX)
standard, which was created by the Trusted Systems Interoperability Group
(TSIG) to address the shortcomings of IP labeling in a way that would let
various vendors interoperate with one another. TSIX is a specification
of a session layer protocol for passing all the attributes needed to
enforce policy between two systems.
In previous releases of Trusted IRIX, network access control decisions
were based on information contained in the Security Option in the IP
header of each datagram. While the IP Security Option is adequate for
many applications, it is limited to 40 bytes of information, so it cannot
contain all of the security attributes of the remote user.
SAMP
The protocol TSIX uses to communicate the attributes between systems is
the Security Attribute Modulation Protocol (SAMP). This consists of a
header and a list of attributes that are prepended to outgoing data as if
it were user data. The TCB at one end puts the headers on and the TCB at
the other end pulls them off before the data gets passed to the user
process.
Page 1
TRUSTED_NETWORKING(7)TRUSTED_NETWORKING(7)SATMP
To improve performance, attributes are represented by 32 bit tokens. The
Security Attribute Token Mapping Protocol (SATMP) protocol is used to
convert security attributes in the format native to the local system into
tokens useful to the destination system.
DOT
A Domain of Translation (DOT) identifies a set of translation tables a
system uses when converting security attributes between its native format
and the network representation understood in that domain.
IP Security Options
The following IP Security Options are recognized by the trusted
networking software.
RIPSO
The Revised IP Security Option was proposed by the US Department of
Defense. RIPSO includes two types of security options. The Basic
Security Option (BSO), accommodates sixteen security classifications and
a variable number of handling restrictions. The Extended Security Option
(ESO), used in conjunction with the BSO, encodes security compartments
and other security information. RIPSO is described by RFC 1108, U.S.
Department of Defense Security Options for the Internet Protocol.
Currently Trusted IRIX only supports the Basic Security Option with only
eight sensitivity levels.
CIPSO
The Commercial IP Security Option was proposed by the Trusted Systems
Interoperability Group with the intent of meeting trusted networking
requirements for the commercial trusted systems market place. CIPSO is
capable of supporting multiple security policies, although the CIPSO
draft as of this writing only defines the formats and procedures required
to support mandatory access control. CIPSO only supports sensitivity
levels and categories, it does not support integrity grades, divisions or
special label types. Trusted IRIX supports two forms of CIPSO labels;
tag type 1, which can encode categories 1 to 239, and tag type 2, which
can encode up to fifteen arbitrary categories.
SGIPSO
This is CIPSO with additional vendor tag types for administrative labels,
integrity labels and uids. SGIPSO supports sensitivity levels, integrity
grades, categories, divisions and uids but it does not support special
label types. SGIPSO supports only 16 bit uids and so it does not permit
uids greater than 65535. A special form of SGIPSO called 'SGIPSO
Special' supports only special label types for administrative purposes.
Processing at Network and Host Levels
Under Trusted IRIX, processing of imported and exported security labels
occurs at two levels. At the Network Level, IP Security Options are used
to route traffic. At the Session Manager Level, SAMP and SATMP are used
to send all the Security Attributes required to enforce security policy
between network components.
Page 2
TRUSTED_NETWORKING(7)TRUSTED_NETWORKING(7)
Host Categories
There are three categories of hosts from which Trusted IRIX can receive
packets: another TSIX host, a non-TSIX host that puts a security option
in the IP header and an unlabelled host. Policy is enforced as follows.
TSIX Host Policy is enforced at the SAMP level where a check is
made to determine whether the data should be delivered to
the process for which it is intended.
IP-Option Host At the IP layer a check is made to determine whether the
packet can be accepted based on information in the
security option and the remote host database profile for
the source host or network. At the TCP or UDP layer a
check is performed to determine whether the data should
be delivered to the process for which it is intended.
Unlabelled Host Access decisions are the same as for an IP option host
but the label of the packet is given by defaults
specified in the remote host database profile for the
source host or network. A process can communicate with
an unlabelled host if the label of the process and the
default label of the host are equivalent.
Network Level Access Decisions
A received packet either has a SGIPSO, CIPSO, or RIPSO option, or is
unlabelled. In the first three cases, the label is extracted and, if it
is not within the label range of the remote host or network, it is
dropped. In the case of an unlabelled packet, the label is obtained from
the host or network profile in the remote host database.
For packets that are routed, or that are replied to by the TCB, for
example ICMP, the outgoing packets will have the same label as the
received packet. That label will be used for a label range check against
the destination host or network, and the packet will be dropped if not
within range.
Host Level Access Decisions
For TSIX hosts, the security attributes are provided in the SAMP header.
Attributes identified as mandatory that are not present in SAMP header
are supplied from the remote host database profile entry. If all
mandatory attributes are not present, the packet is dropped in the case
of UDP, or the connection is closed for TCP. The session manager
maintains a composite set of attributes for the socket that consists of
the last modulated attributes and any defaults. These composite
attributes are the attributes used to enforce policy on delivery to
applications, and are available to trusted applications via the TSIX API.
SEE ALSOlibt6(3N), iflabel(1m), rhost(1m), nfssamp(1m), satmpd(1m), satmp(7p),
samp(7p), tsix(7p)
Page 3
