Leveraging IPsec for mandatory per-packet access control

Trent Ray Jaeger, David H. King, Kevin R. Butler, Serge Hallyn, Joy Latten, Xiaolan Zhang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control.

Original languageEnglish (US)
Title of host publication2006 Securecomm and Workshops
DOIs
StatePublished - Dec 1 2006
Event2006 Securecomm and Workshops - Baltimore, MD, United States
Duration: Aug 28 2006Sep 1 2006

Publication series

Name2006 Securecomm and Workshops

Other

Other2006 Securecomm and Workshops
CountryUnited States
CityBaltimore, MD
Period8/28/069/1/06

Fingerprint

Access control
Telecommunication networks
Labels
communication
authorization
Linux
functionality
Communication
interaction

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Communication

Cite this

Jaeger, T. R., King, D. H., Butler, K. R., Hallyn, S., Latten, J., & Zhang, X. (2006). Leveraging IPsec for mandatory per-packet access control. In 2006 Securecomm and Workshops [4198790] (2006 Securecomm and Workshops). https://doi.org/10.1109/SECCOMW.2006.359530
Jaeger, Trent Ray ; King, David H. ; Butler, Kevin R. ; Hallyn, Serge ; Latten, Joy ; Zhang, Xiaolan. / Leveraging IPsec for mandatory per-packet access control. 2006 Securecomm and Workshops. 2006. (2006 Securecomm and Workshops).
@inproceedings{44f38e6089fe4412a99c8780630d1e3f,
title = "Leveraging IPsec for mandatory per-packet access control",
abstract = "Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control.",
author = "Jaeger, {Trent Ray} and King, {David H.} and Butler, {Kevin R.} and Serge Hallyn and Joy Latten and Xiaolan Zhang",
year = "2006",
month = "12",
day = "1",
doi = "10.1109/SECCOMW.2006.359530",
language = "English (US)",
isbn = "1424404231",
series = "2006 Securecomm and Workshops",
booktitle = "2006 Securecomm and Workshops",

}

Jaeger, TR, King, DH, Butler, KR, Hallyn, S, Latten, J & Zhang, X 2006, Leveraging IPsec for mandatory per-packet access control. in 2006 Securecomm and Workshops., 4198790, 2006 Securecomm and Workshops, 2006 Securecomm and Workshops, Baltimore, MD, United States, 8/28/06. https://doi.org/10.1109/SECCOMW.2006.359530

Leveraging IPsec for mandatory per-packet access control. / Jaeger, Trent Ray; King, David H.; Butler, Kevin R.; Hallyn, Serge; Latten, Joy; Zhang, Xiaolan.

2006 Securecomm and Workshops. 2006. 4198790 (2006 Securecomm and Workshops).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Leveraging IPsec for mandatory per-packet access control

AU - Jaeger, Trent Ray

AU - King, David H.

AU - Butler, Kevin R.

AU - Hallyn, Serge

AU - Latten, Joy

AU - Zhang, Xiaolan

PY - 2006/12/1

Y1 - 2006/12/1

N2 - Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control.

AB - Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a xinetd service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control.

UR - http://www.scopus.com/inward/record.url?scp=50049106863&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=50049106863&partnerID=8YFLogxK

U2 - 10.1109/SECCOMW.2006.359530

DO - 10.1109/SECCOMW.2006.359530

M3 - Conference contribution

SN - 1424404231

SN - 9781424404230

T3 - 2006 Securecomm and Workshops

BT - 2006 Securecomm and Workshops

ER -

Jaeger TR, King DH, Butler KR, Hallyn S, Latten J, Zhang X. Leveraging IPsec for mandatory per-packet access control. In 2006 Securecomm and Workshops. 2006. 4198790. (2006 Securecomm and Workshops). https://doi.org/10.1109/SECCOMW.2006.359530