[Openswan dev] [RFC 4301] PFP Support and Kernel SAD Selectors

[Herbert Xu]

Michael Richardson <mcr at xelerance.com> wrote:
>
>    Herbert> Linux already copies all the packet headers into the SA
>    Herbert> selector that's part of the ACQUIRE message.
> 
>  Yes, that's part of the problem.
> 
>  It might be that the SA should be created based upon things that
> wasn't really known at the time, or isn't expressable in the kernel.
>  IKEv2 permits multiple SAs with what appear to be identical selectors,
> but they differ in other properties that only show up on the outside of
> the packet.  Getting the whole packet lets implement more things.
>  Originally, IKEv2 was actually going to transmit the header as part of
> the SA create, because maybe it would mean something on the remote end.

That sounds fair but in practice, is there anything in the packet that
isn't currently in the ACQUIRE selector that would make a difference to
openswan? If we have something concrete to look at then that at least
allows us to think about how the xfrm_user interface can be adapted to
what you need.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt