On Tue, Sep 18, 2007 at 02:53:59PM -0400, Bill Sommerfeld wrote: > -- DRAFT OPENSOLARIS PROJECT PROPOSAL -- > > Project Name: Labeled IPsec (txipsec) > > Project Synopsys: > > Bring together IPsec and Trusted Networking. > > Project Purpose (and commentary): > > [...] > Trusted Networking will gain on-the-wire cryptographic protection of > sensitivity labels and an optional more-compact on-the-wire > representation of the label (as an implicit property of the security > association), making it less reliant on physically secured network > paths.
+1 I very much support this. I think this is both, very important to TX, and also very important work for IPsec more generally. The ways in which a peer's label range and child SA labels are determined will be most interesting, but the crucial thing is, as you propose, that for ESP/AH packets the sender's label be a property of the SA used. > IPsec will gain from be able to use network repositories for policy > configuration, allowing even unlabelled networks (which is to say, > those not using TX) to benefit from this project. So child SA authorization policy will become pluggable? Using a public API? > [...] > Other interested participants: please speak up, or join the project > list once we have it running. Contributions of both code and review > time are obviously quite welcome; there's a lot of work to be done > here. I am more than happy to review designs and code, and possibly contribute code. Nico --
