[redhat-lspp] labeled ipsec status

Joy Latten latten at austin.ibm.com
Mon Jan 8 20:04:44 UTC 2007 

Current status (that I am aware of) for labeled ipsec:

1. Stress tests.
All ipv4 stress tests run over lspp 59 kernel were
successful. Ipv6 stress test did not run successfully.
I could not get regular ipsec not labeled ipsec to work well.

I compiled an upstream kernel from kernel.org (I think it was
2.6.20-rc1-git6) and was able to get regular ipsec working well, 
but not labeled ipsec.

Hopefully I will get to start stress tests today for lspp60 kernel.

2. Labeled Ipsec Policy
I have a labeled ipsec policy that hopefully I will
send to the list today. It includes suggestions from Venkat,
so I consider it a better patch than previous one I sent out
before the holidays.  Still testing it but will send anyway.

3. Toggle to accept or reject unlabeled packets.
Dan has completed this. He added a boolean, allow_unlabeled_packets,
to selinux policy. Currently, because of a problem in lspp60
kernel, boolean does not work. I tested the boolean on
upstream kernel from kernel.org, 2.6.20-rc3-git4 and the boolean
worked great and as expected. (See #5 below as to why
it did not work in lspp60.)

4. Labeled ipsec over loopback.
Because racoon cannot talk to itself, dynamically, labeled SAs cannot
be generated over loopback.
I asked on ipsec-tools mailing list about this and it seems the 
consensus was no one has gotten this to work with ikev1, that is,
the current racoon.
At some point Venkat and others had discussion about how to resolve this.

5. Default beaviour to accept unlabeled packets.
In lspp kernels (I need to check RHEl5 kernels) as soon as a
single ipsec policy is entered, unlabeled packets are no longer
accepted. This is contrary to selinux policy. (Thus why 
Dan's toggle wouldn't work in lspp60.)
I tested on an upstream kernel from kernel.org, 2.6.0-rc3-git4,
with very same selinux policy and ipsec config and unlabeled
pakces are still accepted. This is correct behaviour.
Need to investigate what change has occurred between lspp kernel
and upstream kernel from kernel.org to cause differen behaviours.

6. IPv6
Regular ipsec and labeled ipsec did not work over ipv6 in lspp 59
kernel. Need to try in lspp60 kernel and latest upstream kernel,
2.6.10-rc3-git4.  Will open a bugreport.

7. IPsec audit is complete. 
There was a bugfix sent to linux-kernel last Monday. 
Eric or Steve, I don't know if this bugfix has been accepted...
if I need to open a bugreport to make sure you get it, please
let me know.

Regards,
Joy Latten

More information about the redhat-lspp mailing list