From: Paul Moore <paul.moore@hp.com>
To: Stephen Hemminger <shemminger@osdl.org>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov, James Morris <jmorris@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [RFC 0/4] NetLabel
Date: Thu, 25 May 2006 17:14:34 -0400 [thread overview]
Message-ID: <44761E3A.9050801@hp.com> (raw)
In-Reply-To: <20060525135846.44791440@localhost.localdomain>
Stephen Hemminger wrote:
> On Thu, 25 May 2006 16:06:01 -0400
> Paul Moore <paul.moore@hp.com> wrote:
>>This patch introduces a new kernel feature designed to support labeled
>>networking protocols such as RIPSO and CIPSO. These protocols are required to
>>interoperate with existing "trusted" operating systems such as Trusted Solaris.
>>I am posting the patch now not because I feel it is ready for inclusion into
>>any of the main kernel trees but because it is usable and I would like to
>>solicit comments from the community sooner rather than later.
>
> Maybe this would be easier and better done via existing netfilter infrastructure?
I think this would be rather difficult on the outbound side as protocols like CIPSO and RIPSO add IP options to the packet. I may be wrong but I thought that adding to the size of the packet was a no-no in netfilter? Also, doesn't netfilter get the packet after the checksum has been calculated and the packet has gone through the xfrm infrastructure?
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: Stephen Hemminger <shemminger@osdl.org>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov, James Morris <jmorris@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [RFC 0/4] NetLabel
Date: Thu, 25 May 2006 17:14:34 -0400 [thread overview]
Message-ID: <44761E3A.9050801@hp.com> (raw)
In-Reply-To: <20060525135846.44791440@localhost.localdomain>
Stephen Hemminger wrote:
> On Thu, 25 May 2006 16:06:01 -0400
> Paul Moore <paul.moore@hp.com> wrote:
>>This patch introduces a new kernel feature designed to support labeled
>>networking protocols such as RIPSO and CIPSO. These protocols are required to
>>interoperate with existing "trusted" operating systems such as Trusted Solaris.
>>I am posting the patch now not because I feel it is ready for inclusion into
>>any of the main kernel trees but because it is usable and I would like to
>>solicit comments from the community sooner rather than later.
>
> Maybe this would be easier and better done via existing netfilter infrastructure?
I think this would be rather difficult on the outbound side as protocols like CIPSO and RIPSO add IP options to the packet. I may be wrong but I thought that adding to the size of the packet was a no-no in netfilter? Also, doesn't netfilter get the packet after the checksum has been calculated and the packet has gone through the xfrm infrastructure?
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-05-25 21:14 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-25 20:06 [RFC 0/4] NetLabel Paul Moore
2006-05-25 20:06 ` Paul Moore
2006-05-25 20:58 ` Stephen Hemminger
2006-05-25 21:14 ` Paul Moore [this message]
2006-05-25 21:14 ` Paul Moore
2006-05-26 0:06 ` James Morris
2006-05-26 0:06 ` James Morris
2006-05-26 15:30 ` Paul Moore
2006-05-26 15:30 ` Paul Moore
2006-05-26 16:02 ` James Morris
2006-05-26 16:02 ` James Morris
2006-05-26 16:34 ` Paul Moore
2006-05-26 16:34 ` Paul Moore
2006-05-26 18:56 ` James Morris
2006-05-26 18:56 ` James Morris
2006-05-26 16:09 ` Mikel L. Matthews
2006-05-26 16:09 ` Mikel L. Matthews
2006-05-26 16:15 ` Paul Moore
2006-05-26 16:15 ` Paul Moore
2006-05-26 16:20 ` Mikel L. Matthews
2006-05-26 16:20 ` Mikel L. Matthews
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44761E3A.9050801@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.