[Lxc-users] Mitigating LXC Container Evasion?

Casey Schaufler casey at schaufler-ca.com
Thu Aug 4 16:11:32 UTC 2011


On 8/4/2011 6:52 AM, Michael H. Warfield wrote:
> On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote: 
>> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is
>> implemented completely within the kernel. It has no user space
>> component. There is no CIPSO equivalent for IPv6 due to the
>> expectation that all IPv6 implementations will use IPsec and
>> IPsec will address all security issues known to man and then
>> some.
> Oh, one other point...
>
> "due to the expectation that all IPv6 implementations will use IPsec and
> IPsec will address all security issues known to man and then some."
>
> Who's assumption?  Certainly not that of the IETF.  Sounds like some
> non-sense promulgated by some anti-IPv6 camps and sounds somewhat
> denigrating and disparaging.

Sorry about that. I was a founding member of TSIG* and we had
a very uncomfortable set of interactions with IETF regarding
CIPSO and SAMP**. We were very forcefully told to let the IETF
provide for us, as we clearly didn't know what we were doing.
IPsec was the solution presented, it didn't provide the security
attribute transmission we required, and the systems that we
needed the solution for had been dismantled long before IPsec
was ready for deployment. Yes, there is some bitterness. The
Unix trusted systems community never recovered from the lack
of a standard that we could use to have the various vendor's
systems talk to each other.

---
*  Trusted Systems Interoperability Group
** Security Attribute Modulation Protocol

> It's demonstrably false.  We still have MD5 signatures on tcp packets
> used by BGP on IPv6 (I'm also a contributor to quagga in that very area)
> even though it was originally "expected" that AH would replace MD5
> signatures for BGP authentication.  That expectation went bye-bye many
> years ago.  We still have Kerberos.  I don't see anyone going back to
> telnet instead of ssh over IPv6.  We still have SSL over IPv6.  The very
> statement is facetious on its face and can't possibly be taken
> seriously.

You are of course correct. My comment was sarcastic and inappropriate.

> If SMACK does not support IPv6 then SMACK is broken.  Fix
> it.

That is and has always been the plan. It's really a matter of getting
the hands onto it. It's a big project and will require more work than
I can plan on getting done in the short term.

> IPv6 is a reality.

I never said otherwise. I believe you.

> Regards,
> Mike

Likewise, Casey





More information about the lxc-users mailing list