[Lxc-users] Mitigating LXC Container Evasion?

Michael H. Warfield mhw at WittsEnd.com
Thu Aug 4 16:40:55 UTC 2011 

On Thu, 2011-08-04 at 09:11 -0700, Casey Schaufler wrote: 
> On 8/4/2011 6:52 AM, Michael H. Warfield wrote:
> > On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote: 
> >> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is
> >> implemented completely within the kernel. It has no user space
> >> component. There is no CIPSO equivalent for IPv6 due to the
> >> expectation that all IPv6 implementations will use IPsec and
> >> IPsec will address all security issues known to man and then
> >> some.
> > Oh, one other point...
> >
> > "due to the expectation that all IPv6 implementations will use IPsec and
> > IPsec will address all security issues known to man and then some."
> >
> > Who's assumption?  Certainly not that of the IETF.  Sounds like some
> > non-sense promulgated by some anti-IPv6 camps and sounds somewhat
> > denigrating and disparaging.

> Sorry about that. I was a founding member of TSIG* and we had
> a very uncomfortable set of interactions with IETF regarding
> CIPSO and SAMP**. We were very forcefully told to let the IETF
> provide for us, as we clearly didn't know what we were doing.
> IPsec was the solution presented, it didn't provide the security
> attribute transmission we required, and the systems that we
> needed the solution for had been dismantled long before IPsec
> was ready for deployment. Yes, there is some bitterness. The
> Unix trusted systems community never recovered from the lack
> of a standard that we could use to have the various vendor's
> systems talk to each other.

Gotcha.  Yeah, I've been involved with several WGs at the IETF and was
one of the original founders of the IDWG WG representing Internet
Security Systems at the IETF.  It's been described as the highest
density of assholes per square meter on the face of the earth.  I had an
area director pull me into one of the "Emergency Preparedness WG"
meetings one meeting just to sit in an critique the noise that was going
on in that one (some of it centered around some disagreements between
the ITU and the IETF and what should be provided for emergency
responders).  The discussion lead by the emergency responders could best
be described as: "We like toast.  Make the Internet make toast."  No
comprehension.  No clue.  I understand fully from both sides of those
arguments.  I'm equally sure they thought the same thing about us.

I also understand that CIPSO was a draft for a common implementation of
IPSO, RFC 1108, which seems to be largely DoD oriented.  I saw the WG
finished up business and the last draft expired back in 94 with no RFC
(no biggie - XAUTH never got an RFC and I'm up to my behind in the
Openswan XAUTH code).  There's always been a certain level of tension
between the purists in the IETF and others such as the military crowd or
ITU or certain commercial interests.  I took part in some of the
discussions over making IPsec support mandatory in IPv6 back in the bad
ole days of ITAR when crypto was a tightly regulated export restricted
"munition".  Yeah, back then, IPsec was presented as a be all and end
all and they had dreams of end-to-end encryption for all.  And here we
are.  Reality has had to set in.  Sigh.  Par for da course.
> ---
> *  Trusted Systems Interoperability Group
> ** Security Attribute Modulation Protocol
> 
> > It's demonstrably false.  We still have MD5 signatures on tcp packets
> > used by BGP on IPv6 (I'm also a contributor to quagga in that very area)
> > even though it was originally "expected" that AH would replace MD5
> > signatures for BGP authentication.  That expectation went bye-bye many
> > years ago.  We still have Kerberos.  I don't see anyone going back to
> > telnet instead of ssh over IPv6.  We still have SSL over IPv6.  The very
> > statement is facetious on its face and can't possibly be taken
> > seriously.

> You are of course correct. My comment was sarcastic and inappropriate.

NP.  I've been rightfully accused of worse myself.

> > If SMACK does not support IPv6 then SMACK is broken.  Fix
> > it.

> That is and has always been the plan. It's really a matter of getting
> the hands onto it. It's a big project and will require more work than
> I can plan on getting done in the short term.

Well the short course should be just to get the CIPSO tags into IPv6,
but that's just IP option 134, right?  You really don't need to mess
with IPsec one way or the other.  I know, I know, there's the whole
layer of API and management and what not around it, so it's obviously
not so simple as simply adding the AF to those modules.  But it should
just parallel the v4 code and don't do anything special wrt the IPsec
logic.

> > IPv6 is a reality.

> I never said otherwise. I believe you.

Cool.

> > Regards,
> > Mike

> Likewise, Casey

Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110804/5d6e0299/attachment.pgp>

More information about the lxc-users mailing list