On Fri, 2008-05-09 at 14:14 -0400, Ken Powell wrote:
> Bill Sommerfeld wrote:
> > http://www.opensolaris.org/os/project/txipsec/Design/
>
> Section 5.3 - I believe you intended to refer to
> the NET_MAC_AWARE privilege in this section?
Correct. Glenn has convinced me that a separate privilege is needed, so
the document will refer to NET_MAC_BYPASS instead.
>
> I don't understand what is meant by "exempt from
> labeling". Can you describe what checks are bypassed
> or modified on the incoming and outgoing sides? I
> noticed that section 5.5.2 describes labeling rules
> for IKE traffic on the outgoing side.
I'll clarify this. It's for traffic to and from a highly privileged
process. Conceptually, the label checks aren't weakened. In practice,
the bypassed packets will pass the checks.
All this means is that no label (CIPSO or equivalent) is used on the
wire, and that an appropriate label is assigned to inbound unlabeled
packets from multi-label peers destined for sockets with SO_MAC_BYPASS
set. Conceptually, the label checks aren't weakened.
> Section 5.4.2 - I assume the phrase "any existing packet
> label" refers to both the dblk label and a possible cipso
> label in the message text?
Correct. I'll clarify.
>
> Section 5.4.3 - Will there be any consistency checks
> on the outer label of received messages?
Yes. I'll clarify.
>
> Section 5.5.2 item 2 - You should also route IKE Key
> management traffic as if it has the specified label.
Yes. I've changed the document to say this.
- Bill
