*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->IRIX man pages -> trusted_networking (7)              



NAME    [Toc]    [Back]

     trusted_networking	- Trusted IRIX network administration: basic concepts.

PURPOSE    [Toc]    [Back]

     The purpose of trusted networking is to properly associate	security
     attributes	with data that is imported to or exported from the system, and
     to	enforce	system security	policy on that data.

POLICIES    [Toc]    [Back]

     In	the current release of Trusted IRIX, the policies enforced by the
     trusted networking	code are as follows.

	  Transmitted packet labels must fall within the label range of	the
	  destination host or network profile in the remote host database.

	  Received packet labels must fall within the label range of the
	  source host or network profile in the	remote host database.

	  Delivered data must have a label equal to the	label of the receiving
	  process.  The	uid of the delivered data must be permitted by the
	  socket ACL.

	  Trusted processes that have set the extended attributes mode do not
	  have delivery	policy enforced, but must enforce appropriate policy
	  based	on the attributes available through the	TSIX API.  Such
	  processes must have the CAP_NETWORK_MGT capability enabled.

TSIX    [Toc]    [Back]

     Trusted IRIX employs the Trusted Security Information Exchange (TSIX)
     standard, which was created by the	Trusted	Systems	Interoperability Group
     (TSIG) to address the shortcomings	of IP labeling in a way	that would let
     various vendors interoperate with one another.  TSIX is a specification
     of	a session layer	protocol for passing all the attributes	needed to
     enforce policy between two	systems.

     In	previous releases of Trusted IRIX, network access control decisions
     were based	on information contained in the	Security Option	in the IP
     header of each datagram.  While the IP Security Option is adequate	for
     many applications,	it is limited to 40 bytes of information, so it	cannot
     contain all of the	security attributes of the remote user.

SAMP    [Toc]    [Back]

     The protocol TSIX uses to communicate the attributes between systems is
     the Security Attribute Modulation Protocol	(SAMP).	 This consists of a
     header and	a list of attributes that are prepended	to outgoing data as if
     it	were user data.	 The TCB at one	end puts the headers on	and the	TCB at
     the other end pulls them off before the data gets passed to the user

									Page 1


     To	improve	performance, attributes	are represented	by 32 bit tokens.  The
     Security Attribute	Token Mapping Protocol (SATMP) protocol	is used	to
     convert security attributes in the	format native to the local system into
     tokens useful to the destination system.

DOT    [Toc]    [Back]

     A Domain of Translation (DOT) identifies a	set of translation tables a
     system uses when converting security attributes between its native	format
     and the network representation understood in that domain.

IP Security Options    [Toc]    [Back]

     The following IP Security Options are recognized by the trusted
     networking	software.

   RIPSO    [Toc]    [Back]
     The Revised IP Security Option was	proposed by the	US Department of
     Defense.  RIPSO includes two types	of security options. The Basic
     Security Option (BSO), accommodates sixteen security classifications and
     a variable	number of handling restrictions. The Extended Security Option
     (ESO), used in conjunction	with the BSO, encodes security compartments
     and other security	information. RIPSO is described	by RFC 1108, U.S.
     Department	of Defense Security Options for	the Internet Protocol.
     Currently Trusted IRIX only supports the Basic Security Option with only
     eight sensitivity levels.

   CIPSO    [Toc]    [Back]
     The Commercial IP Security	Option was proposed by the Trusted Systems
     Interoperability Group with the intent of meeting trusted networking
     requirements for the commercial trusted systems market place. CIPSO is
     capable of	supporting multiple security policies, although	the CIPSO
     draft as of this writing only defines the formats and procedures required
     to	support	mandatory access control.  CIPSO only supports sensitivity
     levels and	categories, it does not	support	integrity grades, divisions or
     special label types.  Trusted IRIX	supports two forms of CIPSO labels;
     tag type 1, which can encode categories 1 to 239, and tag type 2, which
     can encode	up to fifteen arbitrary	categories.

   SGIPSO    [Toc]    [Back]
     This is CIPSO with	additional vendor tag types for	administrative labels,
     integrity labels and uids.	 SGIPSO	supports sensitivity levels, integrity
     grades, categories, divisions and uids but	it does	not support special
     label types.  A special form of SGIPSO called 'SGIPSO Special' supports
     only special label	types for administrative purposes.

Processing at Network and Host Levels    [Toc]    [Back]

     Under Trusted IRIX, processing of imported	and exported security labels
     occurs at two levels.  At the Network Level, IP Security Options are used
     to	route traffic.	At the Session Manager Level, SAMP and SATMP are used
     to	send all the Security Attributes required to enforce security policy
     between network components.

									Page 2


   Host	Categories
     There are three categories	of hosts from which Trusted IRIX can receive
     packets: another TSIX host, a non-TSIX host that puts a security option
     in	the IP header and an unlabelled	host.  Policy is enforced as follows.

     TSIX Host	     Policy is enforced	at the SAMP level where	a check	is
		     made to determine whether the data	should be delivered to
		     the process for which it is intended.

     IP-Option Host  At	the IP layer a check is	made to	determine whether the
		     packet can	be accepted based on information in the
		     security option and the remote host database profile for
		     the source	host or	network.  At the TCP or	UDP layer a
		     check is performed	to determine whether the data should
		     be	delivered to the process for which it is intended.

     Unlabelled	Host Access decisions are the same as for an IP	option host
		     but the label of the packet is given by defaults
		     specified in the remote host database profile for the
		     source host or network.  A	process	can communicate	with
		     an	unlabelled host	if the label of	the process and	the
		     default label of the host are equivalent.

   Network Level Access	Decisions
     A received	packet either has a SGIPSO, CIPSO, or RIPSO option, or is
     unlabelled.  In the first three cases, the	label is extracted and,	if it
     is	not within the label range of the remote host or network, it is
     dropped.  In the case of an unlabelled packet, the	label is obtained from
     the host or network profile in the	remote host database.

     For packets that are routed, or that are replied to by the	TCB, for
     example ICMP, the outgoing	packets	will have the same label as the
     received packet.  That label will be used for a label range check against
     the destination host or network, and the packet will be dropped if	not
     within range.

   Host	Level Access Decisions
     For TSIX hosts, the security attributes are provided in the SAMP header.
     Attributes	identified as mandatory	that are not present in	SAMP header
     are supplied from the remote host database	profile	entry.	If all
     mandatory attributes are not present, the packet is dropped in the	case
     of	UDP, or	the connection is closed for TCP.  The session manager
     maintains a composite set of attributes for the socket that consists of
     the last modulated	attributes and any defaults.  These composite
     attributes	are the	attributes used	to enforce policy on delivery to
     applications, and are available to	trusted	applications via the TSIX API.

SEE ALSO    [Toc]    [Back]

     libt6(3N),	iflabel(1m), rhost(1m),	nfssamp(1m), satmpd(1m), satmp(7p),
     samp(7p), tsix(7p)

									PPPPaaaaggggeeee 3333
[ Back ]
 Similar pages
Name OS Title
libt6 IRIX TSIX trusted IPC library (part of libc in Trusted IRIX)
nettladm HP-UX network tracing and logging administration manager
landiag HP-UX local area network administration program
lanadmin HP-UX local area network administration program
roff FreeBSD concepts and history of roff typesetting
ftr IRIX IRIX Interactive Desktop optimized file-type rules compiler ftr - IRIX Interactive Desktop optimized file-type
inttypes HP-UX basic integer data types
blas IRIX Basic Linear Algebra Subprograms
showcase IRIX Basic drawing and presentation tool
pcserver HP-UX Basic Serial and HP AdvanceLink server
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service