Re: [IPsec] WESP - Roadmap Ahead

Dan McDonald <> Mon, 16 November 2009 16:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 104F13A6AE2 for <>; Mon, 16 Nov 2009 08:53:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mjRqhbVKuBMq for <>; Mon, 16 Nov 2009 08:53:39 -0800 (PST)
Received: from (sca-ea-mail-4.Sun.COM []) by (Postfix) with ESMTP id 11BD03A6AAA for <>; Mon, 16 Nov 2009 08:53:39 -0800 (PST)
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id nAGGrPDI028563; Mon, 16 Nov 2009 16:53:26 GMT
Received: from kebe.East.Sun.COM (kebe.East.Sun.COM []) by (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id nAGGrPBs008404; Mon, 16 Nov 2009 11:53:25 -0500 (EST)
Received: from kebe.East.Sun.COM (localhost []) by kebe.East.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nAGGqm2f002032; Mon, 16 Nov 2009 11:52:48 -0500 (EST)
Received: (from danmcd@localhost) by kebe.East.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nAGGqm3A002031; Mon, 16 Nov 2009 11:52:48 -0500 (EST)
X-Authentication-Warning: kebe.East.Sun.COM: danmcd set sender to using -f
Date: Mon, 16 Nov 2009 11:52:48 -0500
From: Dan McDonald <>
To: Stephen Kent <>
Message-ID: <20091116165248.GJ1232@kebe.East.Sun.COM>
References: <p06240800c720d4538dd2@> <p0624080ac7212e67c860@> <> <p0624080ec7213743dc05@> <> <> <p06240805c72267851254@[]> <p06240825c7229aead977@[]> <> <p06240800c723d673384e@[]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p06240800c723d673384e@[]>
Organization: Sun Microsystems, Inc. - Solaris Networking & Security
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: "" <>, "Bhatia, Manav \(Manav\)" <>, Steven Bellovin <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Nov 2009 16:53:40 -0000

On Mon, Nov 16, 2009 at 11:39:30AM -0500, Stephen Kent wrote:


> >Or put the labels in the SA, since especially for IPSO you probably
> >want cryptographic separation of different security levels.
> There are various options here. I know of devices that have opted to
> use ESP in tunnel mode to ensure the binding, and that is what I
> noted during the IPSECME WG session. I may know of an instance or two
> where AH has been used to do this, because if introduced less
> (bandwidth) overhead than tunnel mode. Implementations that make use
> of IPSO or CIPSO should negotiate the labels as part of the SA. The
> label should be part of the SPD, and be checked based on SAD entry
> data cached form the SPD. (Can you tell that I've been through al of
> this?) We had a presentation by Joy (remotely) on adding label
> support, as a new work item, which would explore these issues in more
> detail, if we choose to adopt this as a new Wg item.

If the WG takes on labeling, please make sure we don't concentrate on just
one platform (SELinux).  Besides Joy's work, there's now also SA-implicit
labeling on another platform:

Once build 128 hits the servers, you can play with it!