OSCL-LXR linux-6.0.1/​Documentation/​netlabel/​cipso_ipv4.rst	Source navigation Diff markup Identifier search General search
	Version: linux-6.0.1 spark-3.0.0 hadoop-3.2.0-src hadoop-3.3.0-src spark-2.4.7 linux-4.15.13 hadoop-2.7.4-src Revert   Change

 ===================================
 NetLabel CIPSO/IPv4 Protocol Engine
 ===================================
 
 Paul Moore, paul.moore@hp.com
 
 May 17, 2006
 
 Overview
 ========
 
 The NetLabel CIPSO/IPv4 protocol engine is based on the IETF Commercial
 IP Security Option (CIPSO) draft from July 16, 1992.  A copy of this
 draft can be found in this directory
 (draft-ietf-cipso-ipsecurity-01.txt).  While the IETF draft never made
 it to an RFC standard it has become a de-facto standard for labeled
 networking and is used in many trusted operating systems.
 
 Outbound Packet Processing
 ==========================
 
 The CIPSO/IPv4 protocol engine applies the CIPSO IP option to packets by
 adding the CIPSO label to the socket.  This causes all packets leaving the
 system through the socket to have the CIPSO IP option applied.  The socket's
 CIPSO label can be changed at any point in time, however, it is recommended
 that it is set upon the socket's creation.  The LSM can set the socket's CIPSO
 label by using the NetLabel security module API; if the NetLabel "domain" is
 configured to use CIPSO for packet labeling then a CIPSO IP option will be
 generated and attached to the socket.
 
 Inbound Packet Processing
 =========================
 
 The CIPSO/IPv4 protocol engine validates every CIPSO IP option it finds at the
 IP layer without any special handling required by the LSM.  However, in order
 to decode and translate the CIPSO label on the packet the LSM must use the
 NetLabel security module API to extract the security attributes of the packet.
 This is typically done at the socket layer using the 'socket_sock_rcv_skb()'
 LSM hook.
 
 Label Translation
 =================
 
 The CIPSO/IPv4 protocol engine contains a mechanism to translate CIPSO security
 attributes such as sensitivity level and category to values which are
 appropriate for the host.  These mappings are defined as part of a CIPSO
 Domain Of Interpretation (DOI) definition and are configured through the
 NetLabel user space communication layer.  Each DOI definition can have a
 different security attribute mapping table.
 
 Label Translation Cache
 =======================
 
 The NetLabel system provides a framework for caching security attribute
 mappings from the network labels to the corresponding LSM identifiers.  The
 CIPSO/IPv4 protocol engine supports this caching mechanism.

This page was automatically generated by the 2.1.0 LXR engine. The LXR team