[redhat-lspp] RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
Venkat Yekkirala
vyekkirala at TrustedCS.com
Fri Jun 16 17:08:45 UTC 2006
> What if we want to share a single IPSEC SA for a range, and use e.g.
> CIPSO/NetLabel to individually label traffic with individual levels
> within that range? Does this patch set prevent such sharing
> of SAs? Or
To a large extent, it does allow ranged SAs (I will have to loosen up the
recvfrom
mls constraint a little; sendto already explicitly allows for this). But the
current
intent would be for such ranged SAs to be manually created and loaded (via
setkey),
and for auto-generated SAs (via IKE) to be created at single levels.
> is it just a matter of how we configure the policy rules for polmatch?
Actually, it would be the ranged SA labels (defined in the xfrm policy),
used
as the target by sendto and recvfrom.
More information about the redhat-lspp
mailing list