On Fri, 23 Jun 2006, Paul Moore wrote: > James Morris wrote: > > > > Support for interoperability with legacy CIPSO systems is something that I > > think would be nice to have, if it can be done in a way which doesn't > > impact deeply on core kernel code, and plays nicely with native Linux > > infrastructure. > > > > I'm not sure if you have had a chance to look at the new patch set yet > but I know you have seen earlier versions and are at least familiar with > the approach I am taking ... in your opinion is the NetLabel patch > acceptable in its approach?
The approach basically seems ok, although the priority needs to be on getting the native xfrm labeling stuff implemented correctly first before really thinking about adding support for legacy schemes. Here's a possible architectural strategy for all of this: 1. Generic xfrm labeling 2. General MLS infrastructure 3. MLS enhanchements to xfrm labeling 4. CIPSO/RIPSO infrastructure 5. HP and PitBull CIPSO implementations We have (1) and TCS are working on (3). (2) would include various intra-kernel and userland API support for any common MLS requirements across MLS xfrm labeling and CIPSO schemes. Also, I'm not sure how network namespaces might or might not play into this. There's also the question of if/how secmark labeling might be used in conjunction with these distributed labeling schemes. Also, the unresolved issue of whether to support CIPSO at all. Even if the approach is technically acceptable, there's the issue of maintaining a lot of complicated code in mainline for a very narrow userbase to talk to near-obsolete legacy systems. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
