On Mon, Nov 16, 2009 at 11:39:30AM -0500, Stephen Kent wrote:
<SNIP!>
> >Or put the labels in the SA, since especially for IPSO you probably
> >want cryptographic separation of different security levels.
>
> There are various options here. I know of devices that have opted to
> use ESP in tunnel mode to ensure the binding, and that is what I
> noted during the IPSECME WG session. I may know of an instance or two
> where AH has been used to do this, because if introduced less
> (bandwidth) overhead than tunnel mode. Implementations that make use
> of IPSO or CIPSO should negotiate the labels as part of the SA. The
> label should be part of the SPD, and be checked based on SAD entry
> data cached form the SPD. (Can you tell that I've been through al of
> this?) We had a presentation by Joy (remotely) on adding label
> support, as a new work item, which would explore these issues in more
> detail, if we choose to adopt this as a new Wg item.
If the WG takes on labeling, please make sure we don't concentrate on just
one platform (SELinux). Besides Joy's work, there's now also SA-implicit
labeling on another platform:
http://hub.opensolaris.org/bin/view/Project+txipsec/
Once build 128 hits the servers, you can play with it!
FYI,
Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
