> CIPSO is supported on SELinux as well. That's no reason to extend that design mistake.
> It certainly has uses where IPSec > is excessive. One example is someone I talked to recently that basically > has a set of blade systems connected with a high speed backplane that > looks like a network interface. CIPSO is useful in this case because > they can't afford the overhead of IPSec but need to transfer the level > of the connection to the other machines. The backplane is a trusted > network and that isn't a dangerous assumption in this case. If one of the boxes gets broken in all are compromised this way? > CIPSO also lets systems like SELinux and SMACK talk to other trusted > systems (eg., trusted solaris) in a way they understand. Perhaps, but is the result secure? I have severe doubts. > I don't > regularly support CIPSO as I believe IPSec labeling is more useful in > more situations but that doesn't mean CIPSO is never useful. Security that isn't secure is not really useful. You might as well not bother. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
