[redhat-lspp] [PATCH] lsm-secpeer for IPSec labels

Roe, William H. William.Roe at gd-ais.com
Fri Sep 16 19:49:43 UTC 2005 

 
Stephen,

Not including the list was an oversight on my part.

So, are you convinced that this scheme will allow for a PL4
accreditation?  E.g. Secret cleared users on the same network.

Bill

William Roe, CISSP, M.S. IA
General Dynamics AIS
Intelligence Mission Solutions
Technical Engineering Matrix Manager
Sr. Lead Software Engineer
410/859-2076 office
443/220-8910 blackberry
william.roe at gd-ais.com
 
 

Confidentiality Note:  This e-mail is intended only for the person or
entity to which it is addressed, and may contain information that is
privileged, confidential, or otherwise protected from disclosure.
Dissemination, distribution, or copying of this e-mail or the
information herein by anyone other than the intended recipient is
prohibited.  If you have received this e-mail in error, please notify
the sender by reply e-mail, phone, or fax, and destroy the original
message and all copies.  Thank you.


-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Friday, September 16, 2005 3:39 PM
To: Roe, William H.
Subject: RE: [redhat-lspp] [PATCH] lsm-secpeer for IPSec labels

On Fri, 2005-09-16 at 15:34 -0400, Roe, William H. wrote:
> Stephen,
> 
> Hmmm. I am assuming that these are not dynamic IPSEC tunnels.
> Everything is preconfigured.  Also, I would assume this would require 
> a static ip scheme, otherwise there is no guarantee the tunnel 
> origninates from a non-SAP network.
> 
> Am I offbase here?

I don't think those assumptions are fundamentally necessary in order to
make this scheme work.  Preconfigured IPSEC associations does simplify
matters, as you can then load the (host,SPI)->label mappings into your
intermediate host/router in advance and do your packet filtering there
without needing to dynamically fetch them, but the latter is certainly
possible by creating a fairly simple daemon on the endpoints.  Static
IPs likewise simplify the binding of identities, but you should able to
establish identity even for dynamic IPs based on certificate and
signatures during SA establishement.  Or am I misunderstanding your
question?

BTW, your reply didn't copy the list, so I likewise omitted it from
mine, but nothing above is sensitive in any manner.

--
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list