On Tue, 13 Jun 2006, Venkat Yekkirala wrote: > SA can be negotiated for each unique security context. A couple of bug fixes > are also > included; checks to make sure the SAs used by a packet match policy (security > context-wise) > on the inbound and also that the bundle used for the outbound matches the > security context > of the flow.
Are these bug fixes independent of the new functionality? If so, they need to be submitted first under separate cover. > Outstanding items/issues: > - xfrm_user needs to be altered also to include the security context in > acquire messages. This > patch set already includes changes for PF_KEY/acquire. Given that xfrm_user is the native Linux interface, it needs to be done (preferrably first). > - Timewait acknowledgements and such are generated in the current/upstream > implementation using > a NULL socket resulting in the any_socket sid (SYSTEM_HIGH) to be used. > This problem is not > addressed by this patch set. This seems fairly problematic. Also, as Trent is the original author of this work, his input on these changes is critical. - James -- James Morris <[EMAIL PROTECTED]> -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
