On Mon, 8 May 2006, Karl MacMillan wrote: > Something like CONNMARK seems preferable to me (perhaps even allowing > type_transition rules to give the related packets a unique type). This > makes the labeling reflect the real security property of the packets.
That's arguable. The real security property afaict is that the packets are of some state (established or related to an existing connection). It is implicit in the mechanism that they're tracked as part of an authorized connection. > Yes, we are trusting the conntrack to mark the packets accurately, but > it makes the policy match the intent. Otherwise it is not possible to > reason about information flow using just the policy. Why not? You just state that all established and related packets reaching vsftpd are valid, and that no invalid packets can deliver data to the application. You can play tricks and stick a label on a packet but that doesn't change what's actually happening or your ability to reason about it. You assume conntrack works correctly (and if it doesn't, then labeling connections will break, too). > Are there serious downsides to this approach? Yes, it's an ugly hack which is not needed. > > You can always not use conntrack and emulate the existing controls, as > > well. > > Yes, but gaining connection tracking is a major advantage of this > approach over the existing controls. The point is to show that this scheme provides much stonger security assurrances, and that if you wished, you could easily rervert to stateless filtering and have the "correct" labels on the packets; which would be worse. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
