> > What if we want to share a single IPSEC SA for a range, and use e.g. > CIPSO/NetLabel to individually label traffic with individual levels > within that range? Does this patch set prevent such sharing of SAs? Or > is it just a matter of how we configure the policy rules for polmatch? >
If you are wanting to use the CIPSO/NetLabel, why would you desire to use labeled IPSEC? Why not just use regular IPSEC along with CIPSO/NetLabel. I did see your post on NetLabel where you stated you would be inclined to check if the CIPSO label is consistent with the IPSEC SA. So the MLS labeling could look as follows for a packet: SECMARK: SystemLow-SystemHigh IPSEC: Unclass-Secret CIPSO/NetLabel: Secret >From this, if you are willing to check the CIPSO consistency with IPSEC, IMHO it makes even more sense to check the IPSEC consistency with SECMARK. Or if no labeled IPSEC, check CIPSO directly against SECMARK. These consistency checks are what I desire in a routing configuration for forwarded traffic. IMHO, both labeled IPSEC and CIPSO at the same time seems to be a little overkill. Currently, we have a product architecture where labeled packets arrive on a ranged interface and then are forwarded without labels onto an approriate unlabeled network. We would like a consistency check that verifies the packet should be allowed to leave the interface based on the transmitted label. This routing ability is the main driver behind our desire to check the packet label against the iptables label for consistency on outbound traffic. -Chad -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
