Leveraging IPSec for Mandatory Access Control of Linux Network Communications

We present an implementation of mandatory access control for Linux network communications that restricts socket access to labelled IPSec security associations. The Linux Security Modules (LSM) framework defines a reference monitor interface that enables security modules (e.g., SELinux) to enforce comprehensive mandatory access control (MAC) for Linux version 2.6. The current LSM control over network communication is limited, however. The LSM interface enables control of process access to sockets, but socket communications can only be restricted by network interfaces and IP addresses. We cannot use LSMs to control access to particular applications on remote machines or reliably associate request processing with the appropriate remote principals. The original proposal based on IP Security Options (IPSO) was found to be too expensive for unlabelled communications, so an alternative mechanism is necessary. Prior work on the Flask security architecture showed that IPSec can be used to enableMAC control on network communication. In this paper, we translate this approach into the Linux system, version 2.6.12. We describe our design for enforcement, which is based on the Linux 2.6 IPSec implementation called the XFRM subsystem (pronounced "transform"). We detail the modifications necessary to the kernel and user-level ipsec-tools to support IPSec policy specification and negotiation. Finally, we show how security function can be enabled using these LSM hooks with the SELinux LSM.

By: Trent R. Jaeger; Serge Hallyn; Joy Latten

Published in: RC23642 in 2005


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to reports@us.ibm.com .