[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors

Tyler Hicks tyhicks at ou.edu
Tue Jan 8 18:41:05 EST 2008


RFC 4301 introduces the idea of using incoming packet information when
creating new SAD entries.  The Linux IPsec implementation does not
currently include PFP support and I thought it may be needed in
openswan's ikev2 branch.

In order to properly support PFP, it seems that the kernel will need
valid SAD selectors, as well.  Currently, openswan responds with empty
SAD selectors after the kernel sends an ALLOCSPI.  A comment in the
kernel suggests that kernel developers expect userspace to return a
valid, complete SA.

I am curious to hear if anyone is working on PFP support for openswan?
Thanks!

Tyler Hicks

----- End forwarded message -----


More information about the Dev mailing list