[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Serge E. Hallyn
serue at us.ibm.com
Thu Jun 22 22:36:34 UTC 2006
Quoting Paul Moore (paul.moore at hp.com):
> Serge E. Hallyn wrote:
> > Quoting Eric W. Biederman (ebiederm at xmission.com):
> >
> >>Ok. The way it looks to me is this:
> >>
> >>In the first network namespace connected to the outside world.
> >>We setup firewall rules to look at the security association (ipsec/ipauth)
> >>with the packet and depending forward that packet out different interfaces
> >>depending upon our security rules.
> >>
> >>Each of the different outgoing interfaces hooks to a different network
> >>namespace. With probably a different security level.
> >>
> >>The ip address is configured the same on the filter network namespace,
> >>and the destination network namespaces.
> >>
> >>The tricky bit is that the filter network namespace needs firewall rules
> >>in place so that the returning packets are not allowed to spoof each other.
> >
> >
> > OTOH, if using the ipsec based labeling rather than cipso, that should
> > take care of the spoofing as well.
> >
>
> Using CIPSO (or any explicit labeling mechanism) should resolve the
> spoofing issue as well since the packets are explicitly labeled by the
> kernel.
Good point :)
So network namespaces may suffice in any case.
-serge
More information about the redhat-lspp
mailing list