[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors
Herbert Xu
herbert at gondor.apana.org.au
Wed Jan 9 17:45:21 EST 2008
Michael Richardson <mcr at xelerance.com> wrote:
>
> PFP = Populate From Packet.
> The way to do this is to have the kernel send a copy of the header
> that caused the ACQUIRE along with the acquire, and then to latch the
> connection into a %hold.
Linux already copies all the packet headers into the SA selector that's
part of the ACQUIRE message.
> netkey doesn't do %hold right now, which is a serious concern if you
> are going to have any kind of dynamic SAs.
We don't queue the packets but we do create a larval SA which is not
that different from KLIPS which IIRC just drops the packets in %hold
anyway.
What is missing is the code in pluto to create a wider larval SA in
response to the ACQUIRE message. Without this the same connection
can end up triggering multiple ACQUIRE messages, once for each flow.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Dev
mailing list