Venkat Yekkirala wrote: >>>Fix SO_PEERSEC for tcp sockets to return the security context of >>>the peer (as represented by the SA from the peer) as opposed to the >>>SA used by the local/source socket. >> >>What about the case of a localhost TCP connection not using >>xfrm labeling? >> >>Joe Nall raised this as an important requirement. > > Yes. We need to come up with some new ideas on this (the failed > secid-recon patchset sought to do this using the secmark field > on the skb).
You mentioned in an earlier thread that it may be possibile to enable XFRM for localhost via a sysctl variable; I would think this would make the most sense. I understand there is a performance hit due to IPsec being used, but I think this solution offers a few advantages: 1. Functionality is available right now, no additional kernel changes needed 2. No special handling for localhost, I tend to like the idea of having consistent behavior for all addresses/interfaces Besides the performance penalty of IPsec and the untested nature of this solution is there some gotcha here which would prevent this from working? -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
