James Morris wrote:

On Fri, 29 Sep 2006, Paul Moore wrote:

quoted

Unless I'm confusing something, there still may be a need for transitions
if we want to support both IPsec and NetLabel labeling on the same
connection.

I'd prefer not to support this, as it's too complicated, and CIPSO is a 
legacy protocol.

Normal IPsec protection applied to CIPSO: yes, but not IPsec labeling and 
CIPSO labeling on the same connection.

I tend to agree, I just can't see it being all that useful in the real
world.  However, each time it comes up (including the conference call
earlier this week) it seems that people would prefer to use both at the
same time.

The good news is that it sounds like there is a reasonable solution (see
the last email exchance between Venkat and myself).

-- 
paul moore
linux security @ hp