On Tuesday 20 November 2007 3:32:57 pm James Morris wrote: > On Mon, 19 Nov 2007, Paul Moore wrote: > > Needless to say this is a problem and we need to move away from using the > > IKE/IPsec attribute value of "10" as soon as possible. Further, simply > > picking a new number is not a good solution, we should really petition > > IANA to get an attribute number assigned for this purpose. However, > > doing so will most likely require documenting the Linux Labeled IPsec > > design and submitting it to the IETF as a draft specification for > > approval[4]. > > How likely is this approach viable, given the moratorium on ISAKMP/IKE v1 > features? I have no idea. Although I would presume that the Labeled IPsec folks would want to provide IKEv2 functionality at some point. > > If this is not > > possible we will need to start investigating alternatives as "poaching" > > existing standards is not a viable, maintainable solution. > > Note (from http://www.iana.org/assignments/isakmp-registry) > > "The values 32001-32767 are reserved for private use amongst > cooperating systems." > > If we can't get an official number for use with IKEv1, then perhaps this > will be our only option. This is one of the things I had in mind as an "alternative" but I think we are better served trying to get an attribute reserved. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
