On Sep 19, 2007, at 11:40 AM, Bill Sommerfeld wrote: > On Wed, 2007-09-19 at 11:12 -0700, james hughes wrote: >> Can implicit IPSEC labels be similar to what we do with real >> interfaces in S10 TX? With real interfaces, we label based on a >> static >> policy for an ethernet port. For IPSEC, can we assign a label based >> on >> a policy for the other party > > Yes.
:^) > What's more, this becomes a matter of slight-of-hand within the > IPsec key management daemon - with implicit labels, the kernel ip > stack > verifies label of traffic == label of SA; the key management daemon > assigns labels to each SA it creates, and can do so however it feels > is > appropriate. > >> (where the other party is identified by their public key)? > > Or anything else used to identify the peer. Exact on-the-wire > protocol > is not nailed down but it looks very feasible to allow local > mechanisms > to pick a label based on every attribute on hand > (public key, certificate, Good Cryptographic Hygiene. > ip addresses, phase of moon, etc.,) Scary. spoofing phase of moon is trivial... > when the peer is not > aware of our extensions; when the peer is label-aware, similar > mechanisms would be needed to confirm that the peer is authorized to > use > a particular label. ... needed to confirm that the peer is authorized to use a particular range of labels. > > - Bill Very cool.
