Here are the slides from my Netconf 2006 talks.
- Better IPsec SA Resolution (PDF)
Some discussion of the case where we need to send a packet, but have no IPsec security association for it. Generally, we currently return EAGAIN to applications and initiate an SA negotiation, but this seems less than optimal. One approach is to not return an error (which some implementations do) so that applications don’t die from surprise. We could also queue the packet and wait for the negotiation to complete, with appropriate semantics for various scenarios.The big question at this point is: in what situations are people seeing this? Generally, the key manager will maintain SAs as needed, and the case of not having one established is believed to be unusual, but we don’t really know for sure. Opportunistic encryption would likely benefit from proper queuing, but it’s not clear how widely it’s deployed.
- OLPC Networking Overview (PDF)
Brain dump of what I understand currently of the networking aspects of the OLPC project, which I thought might be of interest to other kernel network developers. - Mandatory Access Control Networking Update (PDF)
Coverage of developments in MAC networking over the last year, including the new Secmark controls & SELinux, completion of the native xfrm IPsec labeling to meet LSPP/EAL4 , and CIPSO support. Paul Moore from HP will be giving a more detailed talk on CIPSO today or tomorrow.
Also, met up with some local SELinux developers at lunch time: Kaigai Kohei , Kazuki Omo and Yuichi Nakamura. After noticing a six-page SELinux article in a Japanese Linux magazine last night while shopping in Akihabara Electric Town, I asked them if they’d seen it and it turns out that Nakamura-san wrote it, and that he writes a monthly SELinux column for the magazine. We had some discussion about SELinux usability, SE postgresql and JFFS2 support. Unfortunately, we ran out of time — hopefully we’ll get to talk again at the next SELinux symposium.
(Which reminds me to note that the CFP submissions are due on October 9th).
I wonder how many people know that there’s an official Netfilter Song.