[redhat-lspp] FW: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments

[Venkat Yekkirala]

I believe this one got bounced as well (last one).

-----Original Message-----
From: Venkat Yekkirala 
Sent: Wednesday, June 14, 2006 2:31 PM
To: 'James Morris'
Cc: redhat-lspp at redhat.com; sds at tycho.nsa.gov; tjaeger at cse.psu.edu;
latten at austin.ibm.com
Subject: RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use
in MLS environments


> Are these bug fixes independent of the new functionality?  If 
> so, they 
> need to be submitted first under separate cover.

They are really architectural level fixes and as such are available as part
of this patch.

> 
> > Outstanding items/issues:
> > - xfrm_user needs to be altered also to include the 
> security context in acquire messages. This
> >   patch set already includes changes for PF_KEY/acquire.
> 
> Given that xfrm_user is the native Linux interface, it needs 
> to be done 
> (preferrably first).

Yes. Joy has offered to help and is currently working on this. Since this
effort was geared toward lspp project I initially concentrated on the PF_KEY
interface. But you are right.

> 
> > - Timewait acknowledgements and such are generated in the 
> current/upstream implementation using
> >   a NULL socket resulting in the any_socket sid 
> (SYSTEM_HIGH) to be used. This problem is not
> >   addressed by this patch set.
> 
> This seems fairly problematic.

Yes. We should figure this out in due course. I just wanted to make people
aware.

> 
> Also, as Trent is the original author of this work, his input 
> on these 
> changes is critical.
> 

Very much so. Thanks.