[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Feb 2007 10:30:28 -0500
From: Paul Moore <paul.moore@...com>
To: James Morris <jmorris@...ei.org>,
Joy Latten <latten@...tin.ibm.com>
Cc: netdev@...r.kernel.org, vyekkirala@...stedcs.com,
herbert@...dor.apana.org.au, davem@...emloft.net
Subject: Re: when having to acquire an SA, ipsec drops the packet
On Thursday, February 1 2007 6:44 pm, James Morris wrote:
> On Thu, 1 Feb 2007, Joy Latten wrote:
> > When using labeled xfrms (xfrms that contain a security context), there
> > is potential for a greater amount of SAs to be created than when using
> > regular xfrms. An SA may be created every time a different security
> > context is encountered in a particular traffic stream. This could be
> > many if each networking app has its own security context, making current
> > behavior problematic.
>
> Do you have any examples of how many SAs would need to be created on a
> typical system?
>
> It may not be the end of the world if an MLS box has to negotiate a
> whole bunch of SAs when it boots up.
I agree that having an MLS box spend some extra time when starting the IKE
daemon is probably not the end of the world. However, I'm a little concerned
that it may not be possible to determine a "good" set of SAs to negotiate
with only the SPD as a reference.
For example, the current SELinux MLS policy has 16 sensitivity levels and 1024
categories. Ignoring the TE portion of the SELinux context for the sake of
clarity you can easily see the large number of unique combinations, with each
combination requiring a new SA. Granted, in the majority of these cases only
a quick mode IKE negotiation would be required, which is much less expensive
then having to do a full phase-1 negotiation, but due to the large numbers of
SAs involved I believe it would still be quite a task. It also should be
said that this procedure would need to be done for each SPD rule.
I haven't thought about this too much yet, but I suspect proactively creating
SAs is not going to be a practical solution.
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists