[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors
mcr at xelerance.com
Tue Jan 8 20:46:27 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tyler" == Tyler Hicks <tyhicks at ou.edu> writes:
Tyler> RFC 4301 introduces the idea of using incoming packet
Tyler> information when creating new SAD entries. The Linux IPsec
Tyler> implementation does not currently include PFP support and I
Tyler> thought it may be needed in openswan's ikev2 branch.
PFP = Populate From Packet.
The way to do this is to have the kernel send a copy of the header
that caused the ACQUIRE along with the acquire, and then to latch the
connection into a %hold.
netkey doesn't do %hold right now, which is a serious concern if you
are going to have any kind of dynamic SAs.
Tyler> I am curious to hear if anyone is working on PFP support for
Tyler> openswan? Thanks!
There are going to be changes at the user-level as to how the policy
is done. I have no plans to write any code anytime soon.
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
]mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
]panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev