[Openswan dev] [RFC 1/1] Labeled IPsec communication

Michael Richardson mcr at xelerance.com
Wed Oct 31 14:26:33 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Venkat" == Venkat Yekkirala <vyekkirala at TrustedCS.com> writes:
    Venkat> 2. The specific label calling for an SA is passed upto pluto
    Venkat> by the kernel as part of the acquire message. Pluto then
    Venkat> includes this label in the negotiation so that both ends tie
    Venkat> this label to the SAs established as part of the negotiation
    Venkat> and further load the SAs into the kernel with the label tied
    Venkat> to them. The kernel would then use the appropriate SA based
    Venkat> on the label of the process and the label of the SA; IOW, it
    Venkat> would use an SA labeled with Secret for Secret
    Venkat> processes/packets and an SA labeled Top Secret for Top
    Venkat> Secret processes/packets.

    Venkat> That's pretty much all there's to it. Now the biggest impact
    Venkat> is where several SAs (each for a different label) are tied
    Venkat> to the same connection.  This is where I would specifically
    Venkat> appreciate your review and comments since I may have easily
    Venkat> missed assumptions to the contrary elsewhere in the code.

    Venkat> Also, when a remote peer initiates quick mode, the local
    Venkat> pluto would need to make sure the label that arrives
    Venkat> "polmatch"es (see security.c) to a policy before deciding
    Venkat> that connection applies. I would appreciate a review here as
    Venkat> well.

  I can't review without test cases to understand usage.
  Please see the refineconnection unit test case in #testing for a
basis.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRyjI2ICLcPvd0N1lAQJcfAgAkWPCvE9keEIu1vefDIeqPPHkf3hdoMOj
bgsTAs2Xdv0+U6kwjH97evnKGmrlJSrm8j9AV6xoYBTZydZ1JNVx4aegBuQ/dtSO
ZovmaE6rgTkR6tt895jntqW+5L8YUaXKQyoKbL0ZCKINqnJfxgRqjmheM68YPGeX
iwKYGGUpc35IX7WtvVuomUz2rqJzDipshEgN23psjlsiBe3HcD5r2RDo4oj2M/Kp
kus9xFet0xoUJTu25vivRs3EvqYQ6/2uEeVmkzmBdtscMPBzxJrjtYvReJjlS5Dj
qEn3ZvzyMcxb08QmnaDH6G8UnT12vewQa8IQ4dviCHh4g7Onq/eOsQ==
=koB3
-----END PGP SIGNATURE-----

More information about the Dev mailing list