IPL Access Control

Next: Summary: LinSec Mandatory Security Up: LinSec IP Labeling Previous: IPL Inheritance Contents

IPL Access Control

IPL Access Control takes place when requested operation and specified INET protocol are one of the following:

connection establishment, TCP
connection establishment^4.10or message sending, UDP
message sending, RAW

Since TCP is connection oriented protocol no messages can be exchanged if the connection has not been established first. This is why it is enough to check IPL Lists only on connection establishment request for TCP. The same does not apply to UDP or RAW INET protocols.

In all of the above specified operation/protocol combinations network request specifies destination entity in terms of a IP address and, if the protocol is not RAW, destination port. IPL Access Control algorithm grants the request i.e. passes the request to the lower OS layer as specified in Figure 4.4.1 if an IPL Element is found in requesting process' IPL List that matches the following criteria:

ipl_element $\rightarrow$ protocol == request $\rightarrow$ protocol
ipl_element $\rightarrow$ ip_addr & ipl_element $\rightarrow$ netmask == request $\rightarrow$ destination_ip & ipl_element $\rightarrow$ netmask
If protocol used is not RAW,
- (request $\rightarrow$ destination_port $\geq$ ipl_element $\rightarrow$ start_port) AND (request $\rightarrow$ destination_port $\leq$ ipl_elementi $\rightarrow$ end_port), if both ipl_element $\rightarrow$ start_port and ipl_element $\rightarrow$ end_port are defined, or
- request $\rightarrow$ destination_port == ipl_element $\rightarrow$ start_port, if only ipl_element $\rightarrow$ start_port is defined.

Where:

anything prefixed with ipl_element represents contents of the matching IPL Element, and
anything prefixed with request represents network request's destination parameters.

Port range checking is not applicable for RAW protocol and that is why the last step of the access control algorithm is skipped if RAW protocol is used.

The algorithm, as such, implies default DENY_ALL policy as if no matching IPL Element is found the requested network operation is refused. This can be overridden, although it is not advisable, by putting IPL Element with IP addr 0.0.0.0 and netmask 0 in the, default, IPL Group 0.

Footnotes

... establishment ^4.10: Standard Linux network API provides the notion of a connected UDP socket. UDP socket connection is effectively only a kernel association between a connection id and a destination address. Programmers in user space use the network id, obtained when the connection is established, for sending UDP datagrams and the kernel ensures that the network id is properly matched to desired destination address.

Next: Summary: LinSec Mandatory Security Up: LinSec IP Labeling Previous: IPL Inheritance Contents