On Thursday, March 29 2007 10:01:37 am Venkat Yekkirala wrote: > > -----Original Message----- > > From: Joy Latten [mailto:[EMAIL PROTECTED] > > I see this too. I took a brief look at the code and could not readily > > find where we copy the selector info into the xfrm_state... > > SPD stands for Security Policy Database and has just that; policy. Once > an SPD rule determines that a certain "flow/packet" needs to use an ipsec > SA with certain characteristics (ah/esp/ipcomp/combo, transport/tunnel, > etc.), > an SA or SAs with the given characteristics are used. So, it's perfectly > logical that the same SA would be used when the SA characteristics > among the different policy rules are the same. Varying any of these > characteristics and/or the label of the flow/packet should cause a > different SA to be used. Let me know if you find otherwise. It's also > possible to require > unique SAs. See setkey(8), etc.
Yes I understand that, perhaps I am assuming to much about the way the setkey command works. Maybe you or Joy could help me arrive at the correct configuration for what I would like to do ... Basically I'm trying to have each SPD rule, i.e. each "spdadd" command to setkey, from my previous email (copied again below) result in a new SA. For example I would like a connection from A,B[5300],UDP to use a different SA then a connection from A,B[5300],TCP. I know this is possible using different IPsec implementations and would be *very* surprised to find this is not the case for the current Linux kernel. Looking again at the setkey man page, I wonder if swapping "require" for "unique" would accomplish this? > > spdadd A B[5300] tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd A[5300] B tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd B[5300] A tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > spdadd B A[5300] tcp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > > > spdadd A B[5300] udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd A[5300] B udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P out ipsec ah/transport//require; > > spdadd B[5300] A udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; > > spdadd B A[5300] udp > > -ctx 1 1 "system_u:object_r:ipsec_spd_t:s0" > > -P in ipsec ah/transport//require; -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
