[redhat-lspp] FW: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Venkat Yekkirala
vyekkirala at TrustedCS.com
Fri Jun 16 21:00:57 UTC 2006
I believe this one got bounced as well (last one).
-----Original Message-----
From: Venkat Yekkirala
Sent: Wednesday, June 14, 2006 2:31 PM
To: 'James Morris'
Cc: redhat-lspp at redhat.com; sds at tycho.nsa.gov; tjaeger at cse.psu.edu;
latten at austin.ibm.com
Subject: RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use
in MLS environments
> Are these bug fixes independent of the new functionality? If
> so, they
> need to be submitted first under separate cover.
They are really architectural level fixes and as such are available as part
of this patch.
>
> > Outstanding items/issues:
> > - xfrm_user needs to be altered also to include the
> security context in acquire messages. This
> > patch set already includes changes for PF_KEY/acquire.
>
> Given that xfrm_user is the native Linux interface, it needs
> to be done
> (preferrably first).
Yes. Joy has offered to help and is currently working on this. Since this
effort was geared toward lspp project I initially concentrated on the PF_KEY
interface. But you are right.
>
> > - Timewait acknowledgements and such are generated in the
> current/upstream implementation using
> > a NULL socket resulting in the any_socket sid
> (SYSTEM_HIGH) to be used. This problem is not
> > addressed by this patch set.
>
> This seems fairly problematic.
Yes. We should figure this out in due course. I just wanted to make people
aware.
>
> Also, as Trent is the original author of this work, his input
> on these
> changes is critical.
>
Very much so. Thanks.
More information about the redhat-lspp
mailing list