7.3 Flow Masks
7.3.3 Output access lists and flow masks
The example in the Figure depicts how a flow is established between Hosts A and B, and how packets in that flow are being switched by the MLS-SE. If an extended access list is applied to the router interface, the MLS-SE learns of the change from the MLS-RP through MLSP and immediately enforces security for the affected flow. The MLS-SE enforces the output access list by purging any entries for flows on that interface from the MLS cache.

Subsequent entries are relearned by being sent first to the Route Processor as candidate packets and then being cached in the MLS cache when they return from the Route Processor. If the packet is denied by the access list, it never makes it back to the switch as an enable packet and is never cached.

The extended access list indicates that the MLS cache should be maintained with an IP flow mask. This means that the cache should contain all of the Layer 3 and 4 information. It is important to understand that unless the flow mask is configured for IP-flow, the access-list will work only on the first packet, not on all the subsequent packets. For example, suppose there is an extended access list that permits Host A to ping Host B, but with all other types of traffic such as FTP, Telnet, HTTP, and so on being denied. If Host A first tries to ping Host B, the packet will be permitted and cached in the MLS-SE. After this flow is cached, if Host A tries to open a Telnet session to Host B, the connection will be allowed! This is because the MLS-SE will check the MLS cache only for the destination IP address. Because the MLS-RP is never involved, it cannot filter the packet. This example illustrates a potential security hole resulting from misuse of MLS flow masks and access-lists.