Re: Problems with Labeled IPsec, IKE and ECN

[Paul Moore <paul.moore@hp.com>]

On Tuesday 20 November 2007 3:32:57 pm James Morris wrote:
> On Mon, 19 Nov 2007, Paul Moore wrote:
> > Needless to say this is a problem and we need to move away from using the
> > IKE/IPsec attribute value of "10" as soon as possible.  Further, simply
> > picking a new number is not a good solution, we should really petition
> > IANA to get an attribute number assigned for this purpose.  However,
> > doing so will most likely require documenting the Linux Labeled IPsec
> > design and submitting it to the IETF as a draft specification for
> > approval[4].
>
> How likely is this approach viable, given the moratorium on ISAKMP/IKE v1
> features?

I have no idea.  Although I would presume that the Labeled IPsec folks would 
want to provide IKEv2 functionality at some point.

> >  If this is not
> > possible we will need to start investigating alternatives as "poaching"
> > existing standards is not a viable, maintainable solution.
>
> Note (from http://www.iana.org/assignments/isakmp-registry)
>
> "The values 32001-32767 are reserved for private use amongst
> cooperating systems."
>
> If we can't get an official number for use with IKEv1, then perhaps this
> will be our only option.

This is one of the things I had in mind as an "alternative" but I think we are 
better served trying to get an attribute reserved.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.