[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 03116) Re: [Ipsec-tools-devel] Issue on add new items to security association
- To: Aidas Kasparas <a.kasparas@xxxxxx>
- Subject: (usagi-users 03116) Re: [Ipsec-tools-devel] Issue on add new items to security association
- From: Park Lee <parklee_sel@xxxxxxxxx>
- Date: Sun, 14 Nov 2004 10:03:24 -0800 (PST)
- Cc: ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
- Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=qu87hj2HxRNszIXYzVPwIqKMN99cFuV2dPlma7muPxLLoLppBlOCYM5JLRGVZ19fsXDQpPpxzIuNrv7Vw+ksDDnH3qnI9vHUU/ssapBKnHfsxUn5/FZMmpOPfEWvUKckH2g9AKfM6ex+D6Z7tQdfWNjRt+Go0MKFp5eMa44p8as= ;
- In-reply-to: <419744FC.1050301@gmc.lt>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Resent-date: Tue, 16 Nov 2004 16:35:45 +0900
- Resent-from: sekiya@xxxxxxxxxxxxxx
- Resent-message-id: <200411161635.FMLAAB5250.usagi-users@linux-ipv6.org>
- Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
On Sun, 14 Nov 2004 at 13:43, Aidas Kasparas wrote:
> Park Lee wrote:
> > Hi,
> > I'm using IPsec-tools as my user space tools for native IPsec of
> > Linux kernel 2.6.
> > Now, I need to add some items to security association (SA), Then,
> > I add those items to struct xfrm_state in include/net/xfrm.h.
> > After having done this, How can I initiate these new added items
> > and make them usable in the later process for packets?
>
> Not sure what you claim to have done.
Thanks,
I'm now learning SELinux, and want to integrate IPsec with it to build a labeled network .
The idea is that each sending packet is labeled with a security context, if we have integrate IPsec with SELinux, we can use the security association to store the security context. When the packet is received by its peer, the packet thus can be label with the security context stored in security association. Now I want to add a new item in SA to store the security context for the packet.
But, I'm a novice on IPsec, I was not sure about something in IPsec.
Because the security context of packet is associated with its sending socket's security context, then I think it's not so good to specify the security context explicitly through setkey, this will need to modify the setkey to know the new item and need to get the security context of the sending socket explicitly before we can set it to the packet.
So, I only want to change the kernel code to achive the goal, don't specify the security context explicitly through setkey, and, in the mean time, still use manual keyed connection using setkey( because I think this is the simplest way to use IPsec). i.e. using setkey to provide all parameters needed for the setup of the connection except the security context parameter, and leave the security context parameter be processed in kernel. Is this feasible? If it is, how and when can I initiate the security context parameter in kernel before the SA is set up?
How about using racoon to automaticly setup the SA in this matter?
Thank you very much!
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com