[Openswan dev] [RFC 1/1] Labeled IPsec communication

Michael Richardson mcr at xelerance.com
Wed Oct 31 14:26:33 EDT 2007

Hash: SHA1

>>>>> "Venkat" == Venkat Yekkirala <vyekkirala at TrustedCS.com> writes:
    Venkat> 2. The specific label calling for an SA is passed upto pluto
    Venkat> by the kernel as part of the acquire message. Pluto then
    Venkat> includes this label in the negotiation so that both ends tie
    Venkat> this label to the SAs established as part of the negotiation
    Venkat> and further load the SAs into the kernel with the label tied
    Venkat> to them. The kernel would then use the appropriate SA based
    Venkat> on the label of the process and the label of the SA; IOW, it
    Venkat> would use an SA labeled with Secret for Secret
    Venkat> processes/packets and an SA labeled Top Secret for Top
    Venkat> Secret processes/packets.

    Venkat> That's pretty much all there's to it. Now the biggest impact
    Venkat> is where several SAs (each for a different label) are tied
    Venkat> to the same connection.  This is where I would specifically
    Venkat> appreciate your review and comments since I may have easily
    Venkat> missed assumptions to the contrary elsewhere in the code.

    Venkat> Also, when a remote peer initiates quick mode, the local
    Venkat> pluto would need to make sure the label that arrives
    Venkat> "polmatch"es (see security.c) to a policy before deciding
    Venkat> that connection applies. I would appreciate a review here as
    Venkat> well.

  I can't review without test cases to understand usage.
  Please see the refineconnection unit test case in #testing for a

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list