On Mon, Jun 26, 2006 at 08:33:57PM -0400, James Morris wrote: > On Mon, 26 Jun 2006, Joe Nall wrote: > > For all of the EAL4 LSPP Linux evaluation work is being done by Red > > Hat/IBM/HP/atsec and others to be useful to integrators, there has to be > > basic > > (e.g. CIPSO) multilevel network interoperability with existing multilevel > > systems and good (e.g IPSec) multilevel networking between SELinux systems. > > Just to be clear, my understanding is that the native xfrm labeling is > suitable for LSPP evaluation, as distinct from CIPSO being desired by > system integrators from an interoperability point of view.
It's not quite that distinct, the two solutions overlap in some areas but neither can replace the other. CIPSO would also be suitable for LSPP evaluation since it is capable of exporting and importing labeled data. It requires a trusted network since it doesn't encrypt or authenticate, so the evaluation would need to restrict the environment accordingly. The native IPSEC/xfrm approach is useful for more hostile environments where you can't fully trust the network, but it's not interoperable with existing deployed systems so it's not a replacement for CIPSO. >From an evaluation point of view, either CIPSO or IPSEC/xfrm would be able to meet LSPP requirements but with different restrictions on the environment. -Klaus - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
