Question about MAC labels and IP fragment handling
Ilmar S. Habibulin
ilmar at watson.org
Wed Jan 30 10:13:37 GMT 2002
My suggestion:
Add label to ip header struct, label must contain some sort of flag field.
Flag field would show us if the packet/mbuf was labeled according local
policy or carried label in ip options or in ipsec sa. If it was unlabeled
packet in the wire, then the final label must be the lowest possible, i
mean "it must be dominated by all fragments' labels". If it was labeled
network packet, then label of each fragment should be the same. If i was
not, then imho the best way is to drop such packet.
PS. I have some time to spare for ipsec hacking. I have setkey(8) sending
message, containing label, to PF_KEY domain socket. But i haven't figured
out, how to send compartments and store them.
Comments, advices are welcome.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list