On Tue, 2008-05-13 at 13:33 -0400, Dan McDonald wrote:
> * Your glossary's mention of PF_KEY should mention RFC 2367.
Fixed.
> * IKE traffic is ADMIN_LOW. How would that work if a labeled system wants to
> talk with an unlabeled one? Or is this where those annoying middleboxen
> come in handy?
That's an area of the design which will need some fleshing out.
I believe the following could work without playing too fast and loose
with MAC:
- key management traffic to an single-label host bears that host's sole
label (that's almost a "duh!")
- key management traffic to a multi-label host bears the most sensitive
label for that host.
- Bill
