James Morris wrote: > On Fri, 29 Sep 2006, James Morris wrote: > > >>On Fri, 29 Sep 2006, Paul Moore wrote: >> >> >>>>It seems more of a pain to actually >>>>prevent their use at the same time and/or explain strange/unnatural >>>>behavior. >>> >>>Agreed, the solution that we agreed upon is much easier to implement and >>>explain than a lot of the alternatives. >> >>Ok, can you please explain it further? >> >>i.e. show me what the policy looks like, exactly what the user is trying >>to achieve, and explain what happens to each packet exactly in terms of >>labeling on the input and output paths. > > Also, why can't this be done just with xfrm labeling?
I believe the issue Venkat and I were discussing was how to handle the case of multiple external labeling protocols, i.e. what to do if we get a packet through labeled SA which has a CIPSO option. As I've said before, I don't believe this is something we will see much in practice but I think we need to decide what to do: handle it somehow or just punt on the problem and drop it. Several people with experience with external labeling have commented on how supporting both external labeling protocols would be a good idea so Venkat and I are trying to come up with a solution that works. Please see my reponse with the pseudo code/policy examples as this might help clear things up. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
