This one bounced earlier. -----Original Message----- From: Venkat Yekkirala Sent: Friday, June 16, 2006 12:09 PM To: 'Stephen Smalley'; Venkat Yekkirala Cc: [email protected]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [RFC] [MLSXFRM 00/04] Granular IPSec associations for use in MLS environments
> What if we want to share a single IPSEC SA for a range, and use e.g. > CIPSO/NetLabel to individually label traffic with individual levels > within that range? Does this patch set prevent such sharing > of SAs? Or To a large extent, it does allow ranged SAs (I will have to loosen up the recvfrom mls constraint a little; sendto already explicitly allows for this). But the current intent would be for such ranged SAs to be manually created and loaded (via setkey), and for auto-generated SAs (via IKE) to be created at single levels. > is it just a matter of how we configure the policy rules for polmatch? Actually, it would be the ranged SA labels (defined in the xfrm policy), used as the target by sendto and recvfrom. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
