Loading...
1.. SPDX-License-Identifier: GPL-2.0
2
3====
4SCTP
5====
6
7SCTP LSM Support
8================
9
10Security Hooks
11--------------
12
13For security module support, three SCTP specific hooks have been implemented::
14
15 security_sctp_assoc_request()
16 security_sctp_bind_connect()
17 security_sctp_sk_clone()
18 security_sctp_assoc_established()
19
20The usage of these hooks are described below with the SELinux implementation
21described in the `SCTP SELinux Support`_ chapter.
22
23
24security_sctp_assoc_request()
25~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
27security module. Returns 0 on success, error on failure.
28::
29
30 @asoc - pointer to sctp association structure.
31 @skb - pointer to skbuff of association packet.
32
33
34security_sctp_bind_connect()
35~~~~~~~~~~~~~~~~~~~~~~~~~~~~
36Passes one or more ipv4/ipv6 addresses to the security module for validation
37based on the ``@optname`` that will result in either a bind or connect
38service as shown in the permission check tables below.
39Returns 0 on success, error on failure.
40::
41
42 @sk - Pointer to sock structure.
43 @optname - Name of the option to validate.
44 @address - One or more ipv4 / ipv6 addresses.
45 @addrlen - The total length of address(s). This is calculated on each
46 ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
47 sizeof(struct sockaddr_in6).
48
49 ------------------------------------------------------------------
50 | BIND Type Checks |
51 | @optname | @address contains |
52 |----------------------------|-----------------------------------|
53 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
54 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
55 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
56 ------------------------------------------------------------------
57
58 ------------------------------------------------------------------
59 | CONNECT Type Checks |
60 | @optname | @address contains |
61 |----------------------------|-----------------------------------|
62 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
63 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
64 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
65 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
66 ------------------------------------------------------------------
67
68A summary of the ``@optname`` entries is as follows::
69
70 SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
71 associated after (optionally) calling
72 bind(3).
73 sctp_bindx(3) adds a set of bind
74 addresses on a socket.
75
76 SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
77 addresses for reaching a peer
78 (multi-homed).
79 sctp_connectx(3) initiates a connection
80 on an SCTP socket using multiple
81 destination addresses.
82
83 SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
84 sendmsg(2) or sctp_sendmsg(3) on a new association.
85
86 SCTP_PRIMARY_ADDR - Set local primary address.
87
88 SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
89 association primary.
90
91 SCTP_PARAM_ADD_IP - These are used when Dynamic Address
92 SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
93
94
95To support Dynamic Address Reconfiguration the following parameters must be
96enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
97
98 /proc/sys/net/sctp/addip_enable
99 /proc/sys/net/sctp/addip_noauth_enable
100
101then the following *_PARAM_*'s are sent to the peer in an
102ASCONF chunk when the corresponding ``@optname``'s are present::
103
104 @optname ASCONF Parameter
105 ---------- ------------------
106 SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
107 SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
108
109
110security_sctp_sk_clone()
111~~~~~~~~~~~~~~~~~~~~~~~~
112Called whenever a new socket is created by **accept**\(2)
113(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
114calls **sctp_peeloff**\(3).
115::
116
117 @asoc - pointer to current sctp association structure.
118 @sk - pointer to current sock structure.
119 @newsk - pointer to new sock structure.
120
121
122security_sctp_assoc_established()
123~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
124Called when a COOKIE ACK is received, and the peer secid will be
125saved into ``@asoc->peer_secid`` for client::
126
127 @asoc - pointer to sctp association structure.
128 @skb - pointer to skbuff of the COOKIE ACK packet.
129
130
131Security Hooks used for Association Establishment
132-------------------------------------------------
133
134The following diagram shows the use of ``security_sctp_bind_connect()``,
135``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
136establishing an association.
137::
138
139 SCTP endpoint "A" SCTP endpoint "Z"
140 ================= =================
141 sctp_sf_do_prm_asoc()
142 Association setup can be initiated
143 by a connect(2), sctp_connectx(3),
144 sendmsg(2) or sctp_sendmsg(3).
145 These will result in a call to
146 security_sctp_bind_connect() to
147 initiate an association to
148 SCTP peer endpoint "Z".
149 INIT --------------------------------------------->
150 sctp_sf_do_5_1B_init()
151 Respond to an INIT chunk.
152 SCTP peer endpoint "A" is asking
153 for a temporary association.
154 Call security_sctp_assoc_request()
155 to set the peer label if first
156 association.
157 If not first association, check
158 whether allowed, IF so send:
159 <----------------------------------------------- INIT ACK
160 | ELSE audit event and silently
161 | discard the packet.
162 |
163 COOKIE ECHO ------------------------------------------>
164 sctp_sf_do_5_1D_ce()
165 Respond to an COOKIE ECHO chunk.
166 Confirm the cookie and create a
167 permanent association.
168 Call security_sctp_assoc_request() to
169 do the same as for INIT chunk Response.
170 <------------------------------------------- COOKIE ACK
171 | |
172 sctp_sf_do_5_1E_ca |
173 Call security_sctp_assoc_established() |
174 to set the peer label. |
175 | |
176 | If SCTP_SOCKET_TCP or peeled off
177 | socket security_sctp_sk_clone() is
178 | called to clone the new socket.
179 | |
180 ESTABLISHED ESTABLISHED
181 | |
182 ------------------------------------------------------------------
183 | Association Established |
184 ------------------------------------------------------------------
185
186
187SCTP SELinux Support
188====================
189
190Security Hooks
191--------------
192
193The `SCTP LSM Support`_ chapter above describes the following SCTP security
194hooks with the SELinux specifics expanded below::
195
196 security_sctp_assoc_request()
197 security_sctp_bind_connect()
198 security_sctp_sk_clone()
199 security_sctp_assoc_established()
200
201
202security_sctp_assoc_request()
203~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
204Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
205security module. Returns 0 on success, error on failure.
206::
207
208 @asoc - pointer to sctp association structure.
209 @skb - pointer to skbuff of association packet.
210
211The security module performs the following operations:
212 IF this is the first association on ``@asoc->base.sk``, then set the peer
213 sid to that in ``@skb``. This will ensure there is only one peer sid
214 assigned to ``@asoc->base.sk`` that may support multiple associations.
215
216 ELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid``
217 to determine whether the association should be allowed or denied.
218
219 Set the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with
220 MLS portion taken from ``@skb peer sid``. This will be used by SCTP
221 TCP style sockets and peeled off connections as they cause a new socket
222 to be generated.
223
224 If IP security options are configured (CIPSO/CALIPSO), then the ip
225 options are set on the socket.
226
227
228security_sctp_bind_connect()
229~~~~~~~~~~~~~~~~~~~~~~~~~~~~
230Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
231as follows::
232
233 ------------------------------------------------------------------
234 | BIND Permission Checks |
235 | @optname | @address contains |
236 |----------------------------|-----------------------------------|
237 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
238 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
239 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
240 ------------------------------------------------------------------
241
242 ------------------------------------------------------------------
243 | CONNECT Permission Checks |
244 | @optname | @address contains |
245 |----------------------------|-----------------------------------|
246 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
247 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
248 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
249 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
250 ------------------------------------------------------------------
251
252
253`SCTP LSM Support`_ gives a summary of the ``@optname``
254entries and also describes ASCONF chunk processing when Dynamic Address
255Reconfiguration is enabled.
256
257
258security_sctp_sk_clone()
259~~~~~~~~~~~~~~~~~~~~~~~~
260Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
261socket) or when a socket is 'peeled off' e.g userspace calls
262**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
263sockets sid and peer sid to that contained in the ``@asoc sid`` and
264``@asoc peer sid`` respectively.
265::
266
267 @asoc - pointer to current sctp association structure.
268 @sk - pointer to current sock structure.
269 @newsk - pointer to new sock structure.
270
271
272security_sctp_assoc_established()
273~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
274Called when a COOKIE ACK is received where it sets the connection's peer sid
275to that in ``@skb``::
276
277 @asoc - pointer to sctp association structure.
278 @skb - pointer to skbuff of the COOKIE ACK packet.
279
280
281Policy Statements
282-----------------
283The following class and permissions to support SCTP are available within the
284kernel::
285
286 class sctp_socket inherits socket { node_bind }
287
288whenever the following policy capability is enabled::
289
290 policycap extended_socket_class;
291
292SELinux SCTP support adds the ``name_connect`` permission for connecting
293to a specific port type and the ``association`` permission that is explained
294in the section below.
295
296If userspace tools have been updated, SCTP will support the ``portcon``
297statement as shown in the following example::
298
299 portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
300
301
302SCTP Peer Labeling
303------------------
304An SCTP socket will only have one peer label assigned to it. This will be
305assigned during the establishment of the first association. Any further
306associations on this socket will have their packet peer label compared to
307the sockets peer label, and only if they are different will the
308``association`` permission be validated. This is validated by checking the
309socket peer sid against the received packets peer sid to determine whether
310the association should be allowed or denied.
311
312NOTES:
313 1) If peer labeling is not enabled, then the peer context will always be
314 ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
315
316 2) As SCTP can support more than one transport address per endpoint
317 (multi-homing) on a single socket, it is possible to configure policy
318 and NetLabel to provide different peer labels for each of these. As the
319 socket peer label is determined by the first associations transport
320 address, it is recommended that all peer labels are consistent.
321
322 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
323 context.
324
325 4) While not SCTP specific, be aware when using NetLabel that if a label
326 is assigned to a specific interface, and that interface 'goes down',
327 then the NetLabel service will remove the entry. Therefore ensure that
328 the network startup scripts call **netlabelctl**\(8) to set the required
329 label (see **netlabel-config**\(8) helper script for details).
330
331 5) The NetLabel SCTP peer labeling rules apply as discussed in the following
332 set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
333
334 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
335 CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
336
337 Note the following when testing CIPSO/CALIPSO:
338 a) CIPSO will send an ICMP packet if an SCTP packet cannot be
339 delivered because of an invalid label.
340 b) CALIPSO does not send an ICMP packet, just silently discards it.
341
342 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
343 implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
344 although the kernel supports SCTP/IPSEC.
1.. SPDX-License-Identifier: GPL-2.0
2
3====
4SCTP
5====
6
7SCTP LSM Support
8================
9
10Security Hooks
11--------------
12
13For security module support, three SCTP specific hooks have been implemented::
14
15 security_sctp_assoc_request()
16 security_sctp_bind_connect()
17 security_sctp_sk_clone()
18
19Also the following security hook has been utilised::
20
21 security_inet_conn_established()
22
23The usage of these hooks are described below with the SELinux implementation
24described in the `SCTP SELinux Support`_ chapter.
25
26
27security_sctp_assoc_request()
28~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
29Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
30security module. Returns 0 on success, error on failure.
31::
32
33 @ep - pointer to sctp endpoint structure.
34 @skb - pointer to skbuff of association packet.
35
36
37security_sctp_bind_connect()
38~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39Passes one or more ipv4/ipv6 addresses to the security module for validation
40based on the ``@optname`` that will result in either a bind or connect
41service as shown in the permission check tables below.
42Returns 0 on success, error on failure.
43::
44
45 @sk - Pointer to sock structure.
46 @optname - Name of the option to validate.
47 @address - One or more ipv4 / ipv6 addresses.
48 @addrlen - The total length of address(s). This is calculated on each
49 ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
50 sizeof(struct sockaddr_in6).
51
52 ------------------------------------------------------------------
53 | BIND Type Checks |
54 | @optname | @address contains |
55 |----------------------------|-----------------------------------|
56 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
57 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
58 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
59 ------------------------------------------------------------------
60
61 ------------------------------------------------------------------
62 | CONNECT Type Checks |
63 | @optname | @address contains |
64 |----------------------------|-----------------------------------|
65 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
66 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
67 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
68 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
69 ------------------------------------------------------------------
70
71A summary of the ``@optname`` entries is as follows::
72
73 SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
74 associated after (optionally) calling
75 bind(3).
76 sctp_bindx(3) adds a set of bind
77 addresses on a socket.
78
79 SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
80 addresses for reaching a peer
81 (multi-homed).
82 sctp_connectx(3) initiates a connection
83 on an SCTP socket using multiple
84 destination addresses.
85
86 SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
87 sendmsg(2) or sctp_sendmsg(3) on a new asociation.
88
89 SCTP_PRIMARY_ADDR - Set local primary address.
90
91 SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
92 association primary.
93
94 SCTP_PARAM_ADD_IP - These are used when Dynamic Address
95 SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
96
97
98To support Dynamic Address Reconfiguration the following parameters must be
99enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
100
101 /proc/sys/net/sctp/addip_enable
102 /proc/sys/net/sctp/addip_noauth_enable
103
104then the following *_PARAM_*'s are sent to the peer in an
105ASCONF chunk when the corresponding ``@optname``'s are present::
106
107 @optname ASCONF Parameter
108 ---------- ------------------
109 SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
110 SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
111
112
113security_sctp_sk_clone()
114~~~~~~~~~~~~~~~~~~~~~~~~
115Called whenever a new socket is created by **accept**\(2)
116(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
117calls **sctp_peeloff**\(3).
118::
119
120 @ep - pointer to current sctp endpoint structure.
121 @sk - pointer to current sock structure.
122 @sk - pointer to new sock structure.
123
124
125security_inet_conn_established()
126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127Called when a COOKIE ACK is received::
128
129 @sk - pointer to sock structure.
130 @skb - pointer to skbuff of the COOKIE ACK packet.
131
132
133Security Hooks used for Association Establishment
134-------------------------------------------------
135
136The following diagram shows the use of ``security_sctp_bind_connect()``,
137``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
138establishing an association.
139::
140
141 SCTP endpoint "A" SCTP endpoint "Z"
142 ================= =================
143 sctp_sf_do_prm_asoc()
144 Association setup can be initiated
145 by a connect(2), sctp_connectx(3),
146 sendmsg(2) or sctp_sendmsg(3).
147 These will result in a call to
148 security_sctp_bind_connect() to
149 initiate an association to
150 SCTP peer endpoint "Z".
151 INIT --------------------------------------------->
152 sctp_sf_do_5_1B_init()
153 Respond to an INIT chunk.
154 SCTP peer endpoint "A" is
155 asking for an association. Call
156 security_sctp_assoc_request()
157 to set the peer label if first
158 association.
159 If not first association, check
160 whether allowed, IF so send:
161 <----------------------------------------------- INIT ACK
162 | ELSE audit event and silently
163 | discard the packet.
164 |
165 COOKIE ECHO ------------------------------------------>
166 |
167 |
168 |
169 <------------------------------------------- COOKIE ACK
170 | |
171 sctp_sf_do_5_1E_ca |
172 Call security_inet_conn_established() |
173 to set the peer label. |
174 | |
175 | If SCTP_SOCKET_TCP or peeled off
176 | socket security_sctp_sk_clone() is
177 | called to clone the new socket.
178 | |
179 ESTABLISHED ESTABLISHED
180 | |
181 ------------------------------------------------------------------
182 | Association Established |
183 ------------------------------------------------------------------
184
185
186SCTP SELinux Support
187====================
188
189Security Hooks
190--------------
191
192The `SCTP LSM Support`_ chapter above describes the following SCTP security
193hooks with the SELinux specifics expanded below::
194
195 security_sctp_assoc_request()
196 security_sctp_bind_connect()
197 security_sctp_sk_clone()
198 security_inet_conn_established()
199
200
201security_sctp_assoc_request()
202~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
203Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
204security module. Returns 0 on success, error on failure.
205::
206
207 @ep - pointer to sctp endpoint structure.
208 @skb - pointer to skbuff of association packet.
209
210The security module performs the following operations:
211 IF this is the first association on ``@ep->base.sk``, then set the peer
212 sid to that in ``@skb``. This will ensure there is only one peer sid
213 assigned to ``@ep->base.sk`` that may support multiple associations.
214
215 ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
216 to determine whether the association should be allowed or denied.
217
218 Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
219 MLS portion taken from ``@skb peer sid``. This will be used by SCTP
220 TCP style sockets and peeled off connections as they cause a new socket
221 to be generated.
222
223 If IP security options are configured (CIPSO/CALIPSO), then the ip
224 options are set on the socket.
225
226
227security_sctp_bind_connect()
228~~~~~~~~~~~~~~~~~~~~~~~~~~~~
229Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
230as follows::
231
232 ------------------------------------------------------------------
233 | BIND Permission Checks |
234 | @optname | @address contains |
235 |----------------------------|-----------------------------------|
236 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
237 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
238 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
239 ------------------------------------------------------------------
240
241 ------------------------------------------------------------------
242 | CONNECT Permission Checks |
243 | @optname | @address contains |
244 |----------------------------|-----------------------------------|
245 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
246 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
247 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
248 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
249 ------------------------------------------------------------------
250
251
252`SCTP LSM Support`_ gives a summary of the ``@optname``
253entries and also describes ASCONF chunk processing when Dynamic Address
254Reconfiguration is enabled.
255
256
257security_sctp_sk_clone()
258~~~~~~~~~~~~~~~~~~~~~~~~
259Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
260socket) or when a socket is 'peeled off' e.g userspace calls
261**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
262sockets sid and peer sid to that contained in the ``@ep sid`` and
263``@ep peer sid`` respectively.
264::
265
266 @ep - pointer to current sctp endpoint structure.
267 @sk - pointer to current sock structure.
268 @sk - pointer to new sock structure.
269
270
271security_inet_conn_established()
272~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
273Called when a COOKIE ACK is received where it sets the connection's peer sid
274to that in ``@skb``::
275
276 @sk - pointer to sock structure.
277 @skb - pointer to skbuff of the COOKIE ACK packet.
278
279
280Policy Statements
281-----------------
282The following class and permissions to support SCTP are available within the
283kernel::
284
285 class sctp_socket inherits socket { node_bind }
286
287whenever the following policy capability is enabled::
288
289 policycap extended_socket_class;
290
291SELinux SCTP support adds the ``name_connect`` permission for connecting
292to a specific port type and the ``association`` permission that is explained
293in the section below.
294
295If userspace tools have been updated, SCTP will support the ``portcon``
296statement as shown in the following example::
297
298 portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
299
300
301SCTP Peer Labeling
302------------------
303An SCTP socket will only have one peer label assigned to it. This will be
304assigned during the establishment of the first association. Any further
305associations on this socket will have their packet peer label compared to
306the sockets peer label, and only if they are different will the
307``association`` permission be validated. This is validated by checking the
308socket peer sid against the received packets peer sid to determine whether
309the association should be allowed or denied.
310
311NOTES:
312 1) If peer labeling is not enabled, then the peer context will always be
313 ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
314
315 2) As SCTP can support more than one transport address per endpoint
316 (multi-homing) on a single socket, it is possible to configure policy
317 and NetLabel to provide different peer labels for each of these. As the
318 socket peer label is determined by the first associations transport
319 address, it is recommended that all peer labels are consistent.
320
321 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
322 context.
323
324 4) While not SCTP specific, be aware when using NetLabel that if a label
325 is assigned to a specific interface, and that interface 'goes down',
326 then the NetLabel service will remove the entry. Therefore ensure that
327 the network startup scripts call **netlabelctl**\(8) to set the required
328 label (see **netlabel-config**\(8) helper script for details).
329
330 5) The NetLabel SCTP peer labeling rules apply as discussed in the following
331 set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
332
333 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
334 CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
335
336 Note the following when testing CIPSO/CALIPSO:
337 a) CIPSO will send an ICMP packet if an SCTP packet cannot be
338 delivered because of an invalid label.
339 b) CALIPSO does not send an ICMP packet, just silently discards it.
340
341 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
342 implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
343 although the kernel supports SCTP/IPSEC.