[fmac-discuss] Zones and Flask
Bill Sommerfeld
sommerfeld at sun.com
Mon Apr 21 20:05:16 PDT 2008
On Mon, 2008-04-21 at 22:50 -0400, Paul Moore wrote:
> In my mind fixing the IPsec management
> problem helps but it doesn't solve the underlying problem that IPsec is
> ill suited for labeling.
this seems to be a matter of opinion and experience.
having built a labeled ipsec prototype on top of solaris, my
implementation experience tells me the exact opposite -- IPsec is
already involved in almost all of codepaths that labeling is involved in
and IPsec is ideally suited for labeling; adding labels as a new SA
attribute was straightforward and most of the code just worked on the
first or second try.
the IKEv1 negotiation to exchange sensitivity labels also just worked.
AH/ESP already has a better grip on MTU discovery (which has caused us
significant grief with CIPSO).
- Bill
More information about the fmac-discuss
mailing list