[redhat-lspp] Re: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
James Morris
jmorris at redhat.com
Wed Jun 14 15:35:20 UTC 2006
On Tue, 13 Jun 2006, Venkat Yekkirala wrote:
> SA can be negotiated for each unique security context. A couple of bug fixes are also
> included; checks to make sure the SAs used by a packet match policy (security context-wise)
> on the inbound and also that the bundle used for the outbound matches the security context
> of the flow.
Are these bug fixes independent of the new functionality? If so, they
need to be submitted first under separate cover.
> Outstanding items/issues:
> - xfrm_user needs to be altered also to include the security context in acquire messages. This
> patch set already includes changes for PF_KEY/acquire.
Given that xfrm_user is the native Linux interface, it needs to be done
(preferrably first).
> - Timewait acknowledgements and such are generated in the current/upstream implementation using
> a NULL socket resulting in the any_socket sid (SYSTEM_HIGH) to be used. This problem is not
> addressed by this patch set.
This seems fairly problematic.
Also, as Trent is the original author of this work, his input on these
changes is critical.
- James
--
James Morris
<jmorris at redhat.com>
More information about the redhat-lspp
mailing list