[redhat-lspp] Re: [RFC] [MLSXFRM 00/04] Granular IPSec associ ations for use in MLS environments

Chad Hanson chanson at TrustedCS.com
Thu Jun 15 20:12:52 UTC 2006


> 
> What if we want to share a single IPSEC SA for a range, and use e.g.
> CIPSO/NetLabel to individually label traffic with individual levels
> within that range?  Does this patch set prevent such sharing of SAs?  Or
> is it just a matter of how we configure the policy rules for polmatch?
>

If you are wanting to use the CIPSO/NetLabel, why would you desire to use
labeled IPSEC? Why not just use regular IPSEC along with CIPSO/NetLabel. 

I did see your post on NetLabel where you stated you would be inclined
to check if the CIPSO label is consistent with the IPSEC SA.

So the MLS labeling could look as follows for a packet:

SECMARK: SystemLow-SystemHigh
IPSEC:   Unclass-Secret
CIPSO/NetLabel: Secret

>From this, if you are willing to check the CIPSO consistency with IPSEC,
IMHO it makes even more sense to check the IPSEC consistency with SECMARK.
Or if no labeled IPSEC, check CIPSO directly against SECMARK. These
consistency checks are what I desire in a routing configuration
for forwarded traffic. 

IMHO, both labeled IPSEC and CIPSO at the same time seems to be a
little overkill.

Currently, we have a product architecture where labeled packets 
arrive on a ranged interface and then are forwarded without labels onto an 
approriate unlabeled network. We would like a consistency check that
verifies the packet should be allowed to leave the interface based on 
the transmitted label. 

This routing ability is the main driver behind our desire to check the
packet label against the iptables label for consistency on outbound
traffic.

-Chad 




More information about the redhat-lspp mailing list