[Openswan Users] KLIPS eroute selection question (fwd)
Paul Wouters
paul at xelerance.com
Thu Mar 8 12:16:12 EST 2007
---------- Forwarded message ----------
Date: Thu, 08 Mar 2007 12:05:05 -0500
From: Michael Richardson <mcr at sandelman.ottawa.on.ca>
To: Paul Wouters <paul at xelerance.com>
Subject: Re: [Openswan Users] KLIPS eroute selection question (fwd)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
Paul> Shouldnt it pick on longest prefix? Or does it only pick on
Paul> longest prefix of source?
Most specific source first.
Then, among those (if there is more than one), the longest prefix of
destination.
So, you have to add additional policies. %trap-mechanisms that build
an appropriate mesh can help (whether keyed from DNS like OE, or from
LDAP, or whatever)
There is no consistent answer that works.
RFC2401 says that each policy is supposed to have a priority, but that
simply turns a tree into a linear search which doesn't scale.
Any priority system can be implemented via some set of actual
prefixes. Pluto could implement the priorities, but it doesn't.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRfBCQICLcPvd0N1lAQK8eAgAs5N3asYMdOgbdeNE6ViVBdGzYh4kfZp7
wc6Ez0gIjXH+y8nU0yEFLatwUM+UBgD3uj/dAVBgUZ7SWBlXBx1Ni+uWxZ6qVbcF
8F0GBzP4RygEBr7mw+X919Uwe7hWsF4VGgcXivjg+H6o6VKlQG2SzalxoDvnX87+
152d6V4SsAp070o64YaqlTzyyUPA8OlStzkhQRwzhG7UucplHHfpOv0n4YT6D8E/
bADx9rpBo/8qhyZ3K3qdwLn4s13Fbl4gYN9z9awGvFeuOb4Vseml5SgbxaxEP+pa
sOdTnrSEkVHFxY+nWdFanozmFvyOEYEQl1Lt93ujHDpfQ8bxaTeo8Q==
=3cc0
-----END PGP SIGNATURE-----
More information about the Users
mailing list