[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Re: [RFC][PATCH 2/2] MLSXFRM: Flow labeling outside of socket context

From: James Morris <jmorris redhat com>
To: Venkat Yekkirala <vyekkirala trustedcs com>
Cc: redhat-lspp redhat com, sds tycho nsa gov, tjaeger cse psu edu, latten austin ibm com
Subject: [redhat-lspp] Re: [RFC][PATCH 2/2] MLSXFRM: Flow labeling outside of socket context
Date: Sat, 8 Jul 2006 11:14:29 -0400 (EDT)

On Wed, 5 Jul 2006, Venkat Yekkirala wrote:

> The following aren't addressed in this round. These will however still be able to use
> single-labeled associations like they currently do as defined by policy, and as such
> I currently do not have any plans to add support for them.
> 
> ipmr
> ip_gre
> ipip
> igmp
> sit
> sctp
> ip6_tunnel (IPv6 over IPv6 tunnel device)
> decnet

This seems problematic in that it's not a general solution and depends 
always on hooking in at all of the right places in every protocol.  Adding 
a bunch of hooks to protocol-specific code is what got us in trouble with 
the initial LSM submission.

What about using secmark and connection tracking for this, instead?

I'd also suggest moving this discussion to netdev, so other network
developers & maintainers can participate, or just keep track of the
discussion.

- James
-- 
James Morris
<jmorris redhat com>

References:
- [redhat-lspp] [RFC][PATCH 2/2] MLSXFRM: Flow labeling outside of socket context
  - From: Venkat Yekkirala

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]