Draft 01 James Morris February 10, 2002 Selopt IP Options Labeling, Version 1 Table of Contents 1. Introduction 2. Option Type 3. Domain of Interpretation 4. Security Tags 4.1 Security Label Parameters 4.1.1 Parameter Types 5. Handling 5.1 ICMP Reporting 5.2 ICMP Labeling 6. References 1. Introduction This document describes the Selopt [1] implementation of CIPSO [2] and FIPS-188 [3] IP options labeling. Selopt labeling is based on the now defunct CIPSO draft, and uses the FIPS-188 Free Form tag for encoding IP datagrams with SELinux-specific security labels. 2. Option Type All labeled traffic under Selopt utilizes the CIPSO (type 134) IP option. 3. Domain of Interpretation The CIPSO Domain of Interpretation (DOI) field, or Security Tag Set Name under FIPS-188, is set to hexadecimal 10001000 for all datagrams labeled under Version 1 of Selopt. This DOI value was selected arbitrarily, as there is currently no relevant regulatory activity in this area. 4. Security Tags Each Selopt option contains one variable-length Free Form security tag. Under Selopt, the tag is constructed as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Type ! Length ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! ! ~ Security Label Parameters ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 bits. Free Form tag type, set to the value 7. Length: 8 bits. Total length of tag in octets, ranging from 10 to 32 inclusive. Security Label Parameters: variable. See section 4.1. 4.1 Security Label Parameters Each Security Label Parameter is of the form: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ! Type ! Length ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! ! ~ Value ~ ! ! +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 bits. Type of Security Label Parameter, must be one of the parameter types described in section 4.1.1 Length: 8 bits. Total length of parameter in octets. Value: variable. Per section 4.1.1. 4.1.1 Parameter Types Note that the length values described here are inclusive of the Type and Length fields of the Security Label Parameter. +------+--------+-----------+----------------------------------------+ | Type | Length | Name | Description | +------+--------+-----------+----------------------------------------+ | 1 | 2 | Bypass | Implicitly labeled (e.g. SCMP packet). | +------+--------+-----------+----------------------------------------+ | 2 | 6 | Serial | 32-bit policy serial number. | +------+--------+-----------+----------------------------------------+ | 3 | 6 | SSID | 32-bit source SID. | +------+--------+-----------+----------------------------------------+ | 4 | 6 | MSID | 32-bit message SID. | +------+--------+-----------+----------------------------------------+ | 5 | 6 | DSID | 32-bit destination SID. | +------+--------+-----------+----------------------------------------+ A Selopt security tag must contain either: a) The Bypass parameter only; or b) Serial and SSID parameters, and optionally MSID and DSID parameters. 5. Handling Handling of IP options under Selopt follows the CIPSO draft unless otherwise indicated. 5.1 ICMP Reporting [tbd] 5.2 ICMP Labeling [tbd] 6. References [1] Overview of SELinux Labeled Networking Support via CIPSO/FIPS-188 IP Options, selopt-overview.txt. [2] IETF CIPSO Working Group, Commercial IP Security Option (CIPSO 2.2), July 1992 (expired draft). [3] Federal Information Processing Standards Publication 188, Standard Security Label for Information Transfer, September 1994.