[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[redhat-lspp] Re: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments

From: Stephen Smalley <sds tycho nsa gov>
To: Venkat Yekkirala <vyekkirala trustedcs com>
Cc: redhat-lspp redhat com, latten austin ibm com, tjaeger cse psu edu, jmorris redhat com
Subject: [redhat-lspp] Re: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Date: Thu, 15 Jun 2006 12:29:31 -0400

On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> The current approach to labeling Security Associations for SELinux purposes
> uses a one-to-one mapping between xfrm policy rules and security associations.
> This doesn’t address the needs of real world MLS (Multi-level System, traditional
> Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a range,
> classified to secret for example) might need to map to multiple Security Associations
> (one each for classified, secret, top secret and all the compartments applicable to
> these security levels).

What if we want to share a single IPSEC SA for a range, and use e.g.
CIPSO/NetLabel to individually label traffic with individual levels
within that range?  Does this patch set prevent such sharing of SAs?  Or
is it just a matter of how we configure the policy rules for polmatch?

-- 
Stephen Smalley
National Security Agency

References:
- [redhat-lspp] [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
  - From: Venkat Yekkirala

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]