[fmac-discuss] Zones and Flask
Bill Sommerfeld
sommerfeld at sun.com
Mon Apr 21 19:13:08 PDT 2008
On Mon, 2008-04-21 at 22:05 -0400, Paul Moore wrote:
> The problem is that there is not an IETF published specification which
> offers generic network labeling. While there are some provisions for
> MLS labels in IKEv1 (I believe they were removed from IKEv2, need to
> verify this) there was never a generic label mechanism.
They were removed from IKEv2 (because of lack of implementation
experience with them in IKEv1). IKEv2 could be extended to add them
and/or other label-like attributes.
I'm reluctant to approach the IETF without implementation experience in
hand to help drive the IETF processes to a speedy convergence.
> The current
> labeled IPsec implementation used by SELinux is non-standard and
> actually infringes on an existing IPsec/IKE specification.
As a platform-neutral protocol I would suggest using something a little
less SELinux-specific than an unstructured character string security
context.
- Bill
More information about the fmac-discuss
mailing list