On Wed, 2006-12-13 at 09:23 -0600, Joy Latten wrote: > On Tue, 2006-12-12 at 10:41 -0500, Paul Moore wrote: > > > > > Hmmm, if I am following this correctly we are going to need to manually > > setup a > > SA for every context we want to send over loopback because racoon can't > > negotiate with itself? If that's the case I think we really need to get > > racoon > > working for loopback because I don't believe the current solution is very > > practical ... > > > I am not fully understanding something... what will labeled ipsec over > loopback be used for? > > Someone asked on ipsec-tools list and I could not come up with an > explanation.
To provide the peer label information on loopback connections or datagrams. Same as using NetLabel on loopback. But if Venkat is successful in wrapping the sp with a union that can carry the secid directly for loopback traffic, then we wouldn't need it at that point (but RHEL 5 likely requires the use of either NetLabel or labeled ipsec over loopback to provide labeling). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
