From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id lAKMVEPA031600 for ; Tue, 20 Nov 2007 17:31:14 -0500 Received: from g1t0027.austin.hp.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id lAKMVBYg003207 for ; Tue, 20 Nov 2007 22:31:12 GMT From: Paul Moore To: James Morris Subject: Re: Problems with Labeled IPsec, IKE and ECN Date: Tue, 20 Nov 2007 17:30:12 -0500 Cc: selinux@tycho.nsa.gov, Joy Latten , Venkat Yekkirala References: <200711191517.34487.paul.moore@hp.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Message-Id: <200711201730.12250.paul.moore@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Tuesday 20 November 2007 3:32:57 pm James Morris wrote: > On Mon, 19 Nov 2007, Paul Moore wrote: > > Needless to say this is a problem and we need to move away from using the > > IKE/IPsec attribute value of "10" as soon as possible. Further, simply > > picking a new number is not a good solution, we should really petition > > IANA to get an attribute number assigned for this purpose. However, > > doing so will most likely require documenting the Linux Labeled IPsec > > design and submitting it to the IETF as a draft specification for > > approval[4]. > > How likely is this approach viable, given the moratorium on ISAKMP/IKE v1 > features? I have no idea. Although I would presume that the Labeled IPsec folks would want to provide IKEv2 functionality at some point. > > If this is not > > possible we will need to start investigating alternatives as "poaching" > > existing standards is not a viable, maintainable solution. > > Note (from http://www.iana.org/assignments/isakmp-registry) > > "The values 32001-32767 are reserved for private use amongst > cooperating systems." > > If we can't get an official number for use with IKEv1, then perhaps this > will be our only option. This is one of the things I had in mind as an "alternative" but I think we are better served trying to get an attribute reserved. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.