On Wed, 2006-12-06 at 11:36 -0600, Venkat Yekkirala wrote: > Minor correction below. > > > -----Original Message----- > > From: Venkat Yekkirala [mailto:[EMAIL PROTECTED] Behalf Of > > Venkat Yekkirala > > Sent: Wednesday, December 06, 2006 11:21 AM > > To: 'Joy Latten' > > Cc: '[EMAIL PROTECTED]'; Chad Hanson > > Subject: RE: [redhat-lspp] Toggle for unlabeled packets in > > labeled ipsec > > > > > > Hi Joy, > > > > With the "ipsec leak fix" that should be part of 2.6.19, we > > made sure regular unlabeled ipsec would work as expected without > > any special policy being needed for > > > > a. a flow needing "polmatch" to unlabeled_t > > b. an SA needing "sendto" to unlabeled_t > > > > > > Now, we still have 2 checks remaining in the non-labeled-ipsec > > (regular ipsec) case which are: > > > > a. a flow needing "sendto" to unlabeled_t > > b. a socket needing "recvfrom" unlabeled_t > > > > The idea behind these checks is to make sure a host can't engage > > in non-ipsec, plain-text communication > > or unlabeled-ipsec communication > > > unless specifically allowed > > by policy, by allowing the flow/socket to sendto/recvfrom an > > unlabeled_t > > (meaning no labeled-ipsec) SA, respectively. If these are what we > > are wanting to toggle, I would guess that a policy boolean > > could be used. > > yes, I think that is what we want to toggle. Because there will be users who are not interested in LSPP and just want regular ipsec behaviour. By default, we want regular ipsec behaviour which would be to accept all unlabeled packets. And the toggle can be used by sysadmins to enable "LSPP behaviour" as you have stated above.
Where would the policy boolean go? Regards, Joy > > > > > -----Original Message----- > > > From: Joy Latten [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, December 06, 2006 10:46 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE:[redhat-lspp] Toggle for unlabeled packets in > > > labeled ipsec > > > > > > > > > On Wed, 2006-11-15 at 09:16 -0600, Venkat Yekkirala wrote: > > > > > I think the ability to toggle whether unlabeled packets > > > > > will be accepted or rejected for labeled networking is > > > > > required by lspp. > > > > > > > > If this is required, this is probably best accomplished by > > > > a policy rule (dis)allowing such access. Perhaps a policy > > > > boolean? > > > > > > In our Monday lspp call we determined that this is necessary. > > > Regular ipsec behaviour should not be altered. By default > > > ipsec should accept unlabeled packets and a toggle should enable > > > the lspp behaviour of rejecting unlabeled packets. > > > > > > I am not sure what is the best way to accomplish this. > > > > > > Venkat, you suggested thru policy or a boolean. I have not gotten > > > a chance to investigate, but right now are we rejecting unlabeled > > > packets when ipsec is configured via policy rule? > > > > > > Does anyone have bandwidth to help with this? > > > > > > Thanks! > > > > > > Joy > > > > > -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
