Labeled IPsec

Labeled IPsec

OpenSolaris contains an IPsec component and a Trusted Networking component that solve closely related problems but which currently operate entirely independently of each other.

This project proposes to bring the two together in a way which preserves all existing capabilities of the individual components but which allows the capabilities to be combined to increase the usefulness, applicability, and security of both components.

Trusted Networking will gain on-the-wire integrity and confidentiality protection of sensitivity labels and an optional more-compact on-the-wire representation of the label (as an implicit property of the security association), making it less reliant on physically secured network paths.  Implicit labeling will be able to be used both with other MLS systems, and also with non-MLS systems using a single label per system assigned by policy.

IPsec will gain from be able to use network repositories for policy  configuration, allowing even unlabelled networks (which is to say, those not using TX) to benefit from this project.

Project Phases

The project will integrate in phases; the exact content of each phase is still subject to change.

Phase 1: Label-aware SADB

The initial phase is intended to provide a limited labeled IPsec capability using the existing TX networking databases unchanged, allowing IPsec-protected implicitly labeled networking among a set of systems under common administration.

This phase is currently being prototyped; in addition, there is a design review in progress.

Future Phases

Later phases will extend the TX networking databases to better separate policy (clearances, etc.,) from mechanism (CIPSO vs IPsec vs ...).