[redhat-lspp] FW: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Venkat Yekkirala
vyekkirala at TrustedCS.com
Fri Jun 16 20:56:59 UTC 2006
This one bounced earlier.
-----Original Message-----
From: Venkat Yekkirala
Sent: Friday, June 16, 2006 12:09 PM
To: 'Stephen Smalley'; Venkat Yekkirala
Cc: redhat-lspp at redhat.com; jmorris at redhat.com; tjaeger at cse.psu.edu;
latten at austin.ibm.com
Subject: RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use
in MLS environments
> What if we want to share a single IPSEC SA for a range, and use e.g.
> CIPSO/NetLabel to individually label traffic with individual levels
> within that range? Does this patch set prevent such sharing
> of SAs? Or
To a large extent, it does allow ranged SAs (I will have to loosen up the
recvfrom
mls constraint a little; sendto already explicitly allows for this). But the
current
intent would be for such ranged SAs to be manually created and loaded (via
setkey),
and for auto-generated SAs (via IKE) to be created at single levels.
> is it just a matter of how we configure the policy rules for polmatch?
Actually, it would be the ranged SA labels (defined in the xfrm policy),
used
as the target by sendto and recvfrom.
More information about the redhat-lspp
mailing list