[redhat-lspp] [RFC] A Proposal for CIPSO on Linux (again)
Chris Wright
chrisw at osdl.org
Tue Oct 25 18:40:32 UTC 2005
* Paul Moore (paul.moore at hp.com) wrote:
> I understand that CIPSO support has already been attempted, and
> unfortunately rejected by the greater kernel netdev community; however,
> I have taken the original feedback from DaveM into consideration and
> arrived at what I think is a reasonable compromise. For example, my
> proposal does not involve any new LSM hooks, the only changes to the
> base network stack would be some updates to ip_options.c (to make it
> CIPSO aware) and a new netfilter module. I believe all of the access
> decisions and packet labeling can be done using the existing LSM hooks.
> I would greatly appreciate any feedback you can offer.
What's the point? CIPSO is meaningless w/out packet header integrity,
which requires encryption, which looks what Trent is working on now.
Also do you handle fragments, and encapsulation?
thanks,
-chris
More information about the redhat-lspp
mailing list