[Lxc-users] Mitigating LXC Container Evasion?

Michael H. Warfield mhw at WittsEnd.com
Thu Aug 4 13:25:37 UTC 2011 

On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote: 
> On 8/3/2011 9:39 PM, Michael H. Warfield wrote:
> > On Wed, 2011-08-03 at 21:01 -0700, Casey Schaufler wrote:
> >> On 8/3/2011 4:24 PM, Serge E. Hallyn wrote:
> >>> Quoting Andre Nathan (andre at digirati.com.br):
> >>>> Hi Mike
> >>>>
> >>>> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote:
> >>>>> That's v4 syntax. Does it not work at all? Did you try this:
> >>>>>
> >>>>> echo ::/0 @ > /smack/netlabel
> >>>>>
> >>>>> Not having tried this myself at all, I'm just asking. If it doesn't
> >>>>> work, that needs to be fixed but it's a SMACK bug.
> >>>> Olivier's IPv4 example works fine, but with IPv6 I get an error:
> >>>>
> >>>> # echo ::/0 @ > /smack/netlabel
> >>>> -bash: echo: write error: Invalid argument
> >>> Looking at linux-2.6/security/smack/smackfs.c, nothing but
> >>> 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed. Now,
> >>> smack_lsm.c does suggest that it wants to work with IPV6,
> >>> but I haven't looked closely enough to tell how it will
> >>> try to match the labels.
> >>>
> >>> Casey, is Smack netlabel supposed to work with IPV6?
> >
> >> IPv6 support is a pending work item for Smack. The whole
> >> IPSEC thing makes it much more difficult than IPv4.
> >
> > ???
>  
> 'struth, as they say down under.
>  
> >
> > Whoa... Hold da phone a minute!
> >
> > I'm a contributor and developer to Openswan (I'm the author of some code
> > for some Cisco ASA compatibility) and other VPN projects. That does not
> > compute to me. How does IPsec make IPv6 more difficult? Are you saying
> > you do not support IPsec on IPv4 but support is required on IPv6 or is
> > there something else in v6 that I'm missing here. IPv6 does complicate
> > things when you get into IKE v2 world where you can directly tunnel a v6
> > network over v4 endpoints which IKE v1 did not provide for. Is this the
> > problem? The cross protocol encapsulations?

> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is
> implemented completely within the kernel. It has no user space
> component. There is no CIPSO equivalent for IPv6 due to the
> expectation that all IPv6 implementations will use IPsec and
> IPsec will address all security issues known to man and then
> some.

Ok...  Now I'm confused.  I don't care if Smack uses IPsec or whatever.
What's important is that "I" use IPsec.  Take that as a fundamental
operating condition, you have IPsec on IPv4.  It's fundamental to many
IPv4 VPNs.  Now the question becomes does SMACK support it or does SMACK
disrupted it or what impact do that have on each other?

CISPO seems to be just a way of labeling packets and applying and
confirming tags on packets.  That sounds reasonable for SMACK to be
using it.  That sounds orthogonal to IPsec and sort of like IPsec AH
without ESP.

So, I'm gathering that SMACK can't handle IPv6 because SMACK depends on
CISPO and CISPO is apparently not supporting IPv6.  But what has that
got to do with IPsec?  You're going to have to support IPsec in both
IPv4 and IPv6 just due to the existence of VPNs that depend on it.  You
can't exclude IPsec from either.  But, you don't have to use it in
either.  The original intent of the IETF was to mandate the SUPPORT of
IPsec in IPv6 but not it's use.  Support of IPsec in IPv4 is not
mandatory but has become so important in many installations that it may
as well be.

> > Openswan supports 3 stacks, Netkey (the kernel native), KLIPS (the
> > original FreeS/WAN stack), and Mast. My personal primary focus has been
> > on the Netkey stack which is managed through the "ip xfrm" commands and
> > functions. To the user space, IPv6 and IPv4 are agnostic. How does v6
> > in SMACK space become more difficult for v6? It shouldn't be...

> You're right. If Smack was using IPsec for IPv4 it oughtn't be
> any more difficult for IPv6. Smack is not using IPsec because it
> is orders of magnitude more complex than CIPSO.

Then don't use IPsec for IPv4.  But you better be supporting it or you
are broken.

> Thus, IPv6 support for Smack is much harder than IPv4 support
> for Smack was. The difference is not between IPv6 and IPv4,
> rather it is the difference between IPsec and CIPSO.

That's a non-sequitur.  You are not required to use IPsec in either IPv4
or IPv6.  You are required to support it in the sense that you must not
break it an that is true in both IPv4 as well as IPv6.  Use what you
want but you must not break other facilities.

> >>> thanks,
> >>> -serge
> >
> > Regards,
> > Mike
>  
> 
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110804/3710070b/attachment.pgp>

More information about the lxc-users mailing list