[Lxc-users] Mitigating LXC Container Evasion?
Michael H. Warfield
mhw at WittsEnd.com
Thu Aug 4 13:52:58 UTC 2011
On Wed, 2011-08-03 at 22:21 -0700, Casey Schaufler wrote:
> Smack does not use IPsec on IPv4. Smack uses CIPSO. CIPSO is
> implemented completely within the kernel. It has no user space
> component. There is no CIPSO equivalent for IPv6 due to the
> expectation that all IPv6 implementations will use IPsec and
> IPsec will address all security issues known to man and then
> some.
Oh, one other point...
"due to the expectation that all IPv6 implementations will use IPsec and
IPsec will address all security issues known to man and then some."
Who's assumption? Certainly not that of the IETF. Sounds like some
non-sense promulgated by some anti-IPv6 camps and sounds somewhat
denigrating and disparaging.
It's demonstrably false. We still have MD5 signatures on tcp packets
used by BGP on IPv6 (I'm also a contributor to quagga in that very area)
even though it was originally "expected" that AH would replace MD5
signatures for BGP authentication. That expectation went bye-bye many
years ago. We still have Kerberos. I don't see anyone going back to
telnet instead of ssh over IPv6. We still have SSL over IPv6. The very
statement is facetious on its face and can't possibly be taken
seriously. If SMACK does not support IPv6 then SMACK is broken. Fix
it. IPv6 is a reality.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110804/462b6064/attachment.pgp>
More information about the lxc-users
mailing list