[redhat-lspp] Re: LSPP Development Telecon 06/19/2006 Minutes
Paul Moore
paul.moore at hp.com
Thu Jun 22 20:58:40 UTC 2006
Serge E. Hallyn wrote:
> Quoting Eric W. Biederman (ebiederm at xmission.com):
>
>>Ok. The way it looks to me is this:
>>
>>In the first network namespace connected to the outside world.
>>We setup firewall rules to look at the security association (ipsec/ipauth)
>>with the packet and depending forward that packet out different interfaces
>>depending upon our security rules.
>>
>>Each of the different outgoing interfaces hooks to a different network
>>namespace. With probably a different security level.
>>
>>The ip address is configured the same on the filter network namespace,
>>and the destination network namespaces.
>>
>>The tricky bit is that the filter network namespace needs firewall rules
>>in place so that the returning packets are not allowed to spoof each other.
>
>
> OTOH, if using the ipsec based labeling rather than cipso, that should
> take care of the spoofing as well.
>
Using CIPSO (or any explicit labeling mechanism) should resolve the
spoofing issue as well since the packets are explicitly labeled by the
kernel.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list