[redhat-lspp] RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Venkat Yekkirala
vyekkirala at TrustedCS.com
Wed Jun 14 19:30:55 UTC 2006
> Are these bug fixes independent of the new functionality? If
> so, they
> need to be submitted first under separate cover.
They are really architectural level fixes and as such are available as part
of this patch.
>
> > Outstanding items/issues:
> > - xfrm_user needs to be altered also to include the
> security context in acquire messages. This
> > patch set already includes changes for PF_KEY/acquire.
>
> Given that xfrm_user is the native Linux interface, it needs
> to be done
> (preferrably first).
Yes. Joy has offered to help and is currently working on this. Since this
effort was geared toward lspp project I initially concentrated on the PF_KEY
interface. But you are right.
>
> > - Timewait acknowledgements and such are generated in the
> current/upstream implementation using
> > a NULL socket resulting in the any_socket sid
> (SYSTEM_HIGH) to be used. This problem is not
> > addressed by this patch set.
>
> This seems fairly problematic.
Yes. We should figure this out in due course. I just wanted to make people
aware.
>
> Also, as Trent is the original author of this work, his input
> on these
> changes is critical.
>
Very much so. Thanks.
More information about the redhat-lspp
mailing list