[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Tyler" == Tyler Hicks <tyhicks at ou.edu> writes:
    Tyler> RFC 4301 introduces the idea of using incoming packet
    Tyler> information when creating new SAD entries.  The Linux IPsec
    Tyler> implementation does not currently include PFP support and I
    Tyler> thought it may be needed in openswan's ikev2 branch.

  PFP = Populate From Packet.
  The way to do this is to have the kernel send a copy of the header
that caused the ACQUIRE along with the acquire, and then to latch the
connection into a %hold.

  netkey doesn't do %hold right now, which is a serious concern if you
are going to have any kind of dynamic SAs.

    Tyler> I am curious to hear if anyone is working on PFP support for
    Tyler> openswan?  Thanks!

  There are going to be changes at the user-level as to how the policy
is done.  I have no plans to write any code anytime soon.

- -- 
]           Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]  Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
]mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
]panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBR4QnbYCLcPvd0N1lAQI9awgAtujtngTCt9TFnN//qC1waZZrE7vHjlM1
kFPPJsY9C7Q4HRgmtYxs8cRawP2eVzhfMlYQIXBB26W6y8ws3it1BYBPYuhKs6HA
zfh/MmoD88MXsg0jIbpqKTglna8PGB/t15QvWSKMQCcJL0w+j3IufdxIQWgTPwaR
e67p8e8Q4okOfiWip/0sbX5tAkf4RvQQjZPZAxQ0zdEihkC6ec5uE8CO4YyT+YLO
Nqd8FY+OgK3gvzPNFl1uIthyFYaaroY0DGyfJXjdIrGUDFN16sWBCpWKGOY1Sa35
CU6sge5AqXcBnfK9I6PKVix9D8+Mjiuc0D9r4+ZfYRonx19q1p9U7Q==
=W/Ni
-----END PGP SIGNATURE-----