SGI Techpubs Library

IRIX 6.5  »  Man Pages
find in page

TRUSTED_NETWORKING(7)

 NAME

     trusted_networking - Trusted IRIX network administration: basic concepts.

 PURPOSE

     The purpose of trusted networking is to properly associate security
     attributes with data that is imported to or exported from the system, and
     to enforce system security policy on that data.

 POLICIES

     In the current release of Trusted IRIX, the policies enforced by the
     trusted networking code are as follows.

          Transmitted packet labels must fall within the label range of the
          destination host or network profile in the remote host database.

          Received packet labels must fall within the label range of the
          source host or network profile in the remote host database.

          Delivered data must have a label equal to the label of the receiving
          process.  The uid of the delivered data must be permitted by the
          socket ACL.

          Trusted processes that have set the extended attributes mode do not
          have delivery policy enforced, but must enforce appropriate policy
          based on the attributes available through the TSIX API.  Such
          processes must have the CAP_NETWORK_MGT capability enabled.

 TSIX

     Trusted IRIX employs the Trusted Security Information Exchange (TSIX)
     standard, which was created by the Trusted Systems Interoperability Group
     (TSIG) to address the shortcomings of IP labeling in a way that would let
     various vendors interoperate with one another.  TSIX is a specification
     of a session layer protocol for passing all the attributes needed to
     enforce policy between two systems.

     In previous releases of Trusted IRIX, network access control decisions
     were based on information contained in the Security Option in the IP
     header of each datagram.  While the IP Security Option is adequate for
     many applications, it is limited to 40 bytes of information, so it cannot
     contain all of the security attributes of the remote user.

 SAMP

     The protocol TSIX uses to communicate the attributes between systems is
     the Security Attribute Modulation Protocol (SAMP).  This consists of a
     header and a list of attributes that are prepended to outgoing data as if
     it were user data.  The TCB at one end puts the headers on and the TCB at
     the other end pulls them off before the data gets passed to the user
     process.

SATMP
     To improve performance, attributes are represented by 32 bit tokens.  The
     Security Attribute Token Mapping Protocol (SATMP) protocol is used to
     convert security attributes in the format native to the local system into
     tokens useful to the destination system.

 DOT

     A Domain of Translation (DOT) identifies a set of translation tables a
     system uses when converting security attributes between its native format
     and the network representation understood in that domain.

 IP Security Options

     The following IP Security Options are recognized by the trusted
     networking software.

   RIPSO
     The Revised IP Security Option was proposed by the US Department of
     Defense.  RIPSO includes two types of security options. The Basic
     Security Option (BSO), accommodates sixteen security classifications and
     a variable number of handling restrictions. The Extended Security Option
     (ESO), used in conjunction with the BSO, encodes security compartments
     and other security information. RIPSO is described by RFC 1108, U.S.
     Department of Defense Security Options for the Internet Protocol.
     Currently Trusted IRIX only supports the Basic Security Option with only
     eight sensitivity levels.

   CIPSO
     The Commercial IP Security Option was proposed by the Trusted Systems
     Interoperability Group with the intent of meeting trusted networking
     requirements for the commercial trusted systems market place. CIPSO is
     capable of supporting multiple security policies, although the CIPSO
     draft as of this writing only defines the formats and procedures required
     to support mandatory access control.  CIPSO only supports sensitivity
     levels and categories, it does not support integrity grades, divisions or
     special label types.  Trusted IRIX supports two forms of CIPSO labels;
     tag type 1, which can encode categories 1 to 239, and tag type 2, which
     can encode up to fifteen arbitrary categories.

   SGIPSO
     This is CIPSO with additional vendor tag types for administrative labels,
     integrity labels and uids.  SGIPSO supports sensitivity levels, integrity
     grades, categories, divisions and uids but it does not support special
     label types.  SGIPSO supports only 16 bit uids and so it does not permit
     uids greater than 65535.  A special form of SGIPSO called 'SGIPSO
     Special' supports only special label types for administrative purposes.

 Processing at Network and Host Levels

     Under Trusted IRIX, processing of imported and exported security labels
     occurs at two levels.  At the Network Level, IP Security Options are used
     to route traffic.  At the Session Manager Level, SAMP and SATMP are used
     to send all the Security Attributes required to enforce security policy
     between network components.

   Host Categories
     There are three categories of hosts from which Trusted IRIX can receive
     packets: another TSIX host, a non-TSIX host that puts a security option
     in the IP header and an unlabelled host.  Policy is enforced as follows.

     TSIX Host       Policy is enforced at the SAMP level where a check is
                     made to determine whether the data should be delivered to
                     the process for which it is intended.

     IP-Option Host  At the IP layer a check is made to determine whether the
                     packet can be accepted based on information in the
                     security option and the remote host database profile for
                     the source host or network.  At the TCP or UDP layer a
                     check is performed to determine whether the data should
                     be delivered to the process for which it is intended.

     Unlabelled Host Access decisions are the same as for an IP option host
                     but the label of the packet is given by defaults
                     specified in the remote host database profile for the
                     source host or network.  A process can communicate with
                     an unlabelled host if the label of the process and the
                     default label of the host are equivalent.

   Network Level Access Decisions
     A received packet either has a SGIPSO, CIPSO, or RIPSO option, or is
     unlabelled.  In the first three cases, the label is extracted and, if it
     is not within the label range of the remote host or network, it is
     dropped.  In the case of an unlabelled packet, the label is obtained from
     the host or network profile in the remote host database.

     For packets that are routed, or that are replied to by the TCB, for
     example ICMP, the outgoing packets will have the same label as the
     received packet.  That label will be used for a label range check against
     the destination host or network, and the packet will be dropped if not
     within range.

   Host Level Access Decisions
     For TSIX hosts, the security attributes are provided in the SAMP header.
     Attributes identified as mandatory that are not present in SAMP header
     are supplied from the remote host database profile entry.  If all
     mandatory attributes are not present, the packet is dropped in the case
     of UDP, or the connection is closed for TCP.  The session manager
     maintains a composite set of attributes for the socket that consists of
     the last modulated attributes and any defaults.  These composite
     attributes are the attributes used to enforce policy on delivery to
     applications, and are available to trusted applications via the TSIX API.

 SEE ALSO

     libt6(3N), iflabel(1m), rhost(1m), nfssamp(1m), satmpd(1m), satmp(7p),
     samp(7p), tsix(7p)




home/search | what's new | help