On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote: > On 8/3/2011 9:39 PM, Michael H. Warfield wrote: > > On Wed, 2011-08-03 at 21:01 -0700, Casey Schaufler wrote: > >> On 8/3/2011 4:24 PM, Serge E. Hallyn wrote: > >>> Quoting Andre Nathan (an...@digirati.com.br): > >>>> Hi Mike > >>>> > >>>> On Wed, 2011-08-03 at 17:52 -0400, Michael H. Warfield wrote: > >>>>> That's v4 syntax. Does it not work at all? Did you try this: > >>>>> > >>>>> echo ::/0 @ > /smack/netlabel > >>>>> > >>>>> Not having tried this myself at all, I'm just asking. If it doesn't > >>>>> work, that needs to be fixed but it's a SMACK bug. > >>>> Olivier's IPv4 example works fine, but with IPv6 I get an error: > >>>> > >>>> # echo ::/0 @ > /smack/netlabel > >>>> -bash: echo: write error: Invalid argument > >>> Looking at linux-2.6/security/smack/smackfs.c, nothing but > >>> 'a.b.c.d label' or 'a.b.c.d/mask label' is allowed. Now, > >>> smack_lsm.c does suggest that it wants to work with IPV6, > >>> but I haven't looked closely enough to tell how it will > >>> try to match the labels. > >>> > >>> Casey, is Smack netlabel supposed to work with IPV6? > > > >> IPv6 support is a pending work item for Smack. The whole > >> IPSEC thing makes it much more difficult than IPv4. > > > > ??? > > 'struth, as they say down under. > > > > > Whoa... Hold da phone a minute! > > > > I'm a contributor and developer to Openswan (I'm the author of some code > > for some Cisco ASA compatibility) and other VPN projects. That does not > > compute to me. How does IPsec make IPv6 more difficult? Are you saying > > you do not support IPsec on IPv4 but support is required on IPv6 or is > > there something else in v6 that I'm missing here. IPv6 does complicate > > things when you get into IKE v2 world where you can directly tunnel a v6 > > network over v4 endpoints which IKE v1 did not provide for. Is this the > > problem? The cross protocol encapsulations?
> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is > implemented completely within the kernel. It has no user space > component. There is no CIPSO equivalent for IPv6 due to the > expectation that all IPv6 implementations will use IPsec and > IPsec will address all security issues known to man and then > some. Ok... Now I'm confused. I don't care if Smack uses IPsec or whatever. What's important is that "I" use IPsec. Take that as a fundamental operating condition, you have IPsec on IPv4. It's fundamental to many IPv4 VPNs. Now the question becomes does SMACK support it or does SMACK disrupted it or what impact do that have on each other? CISPO seems to be just a way of labeling packets and applying and confirming tags on packets. That sounds reasonable for SMACK to be using it. That sounds orthogonal to IPsec and sort of like IPsec AH without ESP. So, I'm gathering that SMACK can't handle IPv6 because SMACK depends on CISPO and CISPO is apparently not supporting IPv6. But what has that got to do with IPsec? You're going to have to support IPsec in both IPv4 and IPv6 just due to the existence of VPNs that depend on it. You can't exclude IPsec from either. But, you don't have to use it in either. The original intent of the IETF was to mandate the SUPPORT of IPsec in IPv6 but not it's use. Support of IPsec in IPv4 is not mandatory but has become so important in many installations that it may as well be. > > Openswan supports 3 stacks, Netkey (the kernel native), KLIPS (the > > original FreeS/WAN stack), and Mast. My personal primary focus has been > > on the Netkey stack which is managed through the "ip xfrm" commands and > > functions. To the user space, IPv6 and IPv4 are agnostic. How does v6 > > in SMACK space become more difficult for v6? It shouldn't be... > You're right. If Smack was using IPsec for IPv4 it oughtn't be > any more difficult for IPv6. Smack is not using IPsec because it > is orders of magnitude more complex than CIPSO. Then don't use IPsec for IPv4. But you better be supporting it or you are broken. > Thus, IPv6 support for Smack is much harder than IPv4 support > for Smack was. The difference is not between IPv6 and IPv4, > rather it is the difference between IPsec and CIPSO. That's a non-sequitur. You are not required to use IPsec in either IPv4 or IPv6. You are required to support it in the sense that you must not break it an that is true in both IPv4 as well as IPv6. Use what you want but you must not break other facilities. > >>> thanks, > >>> -serge > > > > Regards, > > Mike > > > -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
