[redhat-lspp] using ah and esp protocols in ipsec
Paul Moore
paul.moore at hp.com
Tue Oct 17 19:08:09 UTC 2006
Paul Moore wrote:
> On Monday 16 October 2006 6:20 pm, Joy Latten wrote:
>
>>Paul,
>>
>>When ipsec policy is specified as:
>>
>> spdadd 9.3.189.57 9.3.192.210 any
>> -ctx 1 1 "system_u:object_r:passwd_t:s3"
>> -P out ipsec
>> esp/transport//require ah/transport//require;
>>
>>Since I specified both esp and ah protocols,
>>racoon created 4 SAs, 2 for esp and 2 for AH.
>>All four SAs created had the following security context:
>>security context: root:sysadm_r:ping_t:s0-s15:c0.c1023
>>(A ping resulted in the SAs being created.)
>>
>>Hope this helps. Let me know if there is anything else I
>>can help with.
>
>
> Hi Joy,
>
> Thanks, yes that does help. However, I have another question for you if you
> don't mind :)
>
> What happens when you have multiple SAs for a packet and the contexts don't
> match? Granted this is a common case but it should be possible. For
> example, what happens when you use manual keying to create two SAs, one AH
> and one ESP, with the same selectors but different contexts?
>
> Does the first transform "win"? Or the "last"? Is there an error or warning
> reported anywhere?
While looking at something else I think I found the answer in the
selinux_xfrm_decode_session(): all of the SAs used on the packet must have the
same context else -EINVAL is returned.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list