[Openswan Users] [Openswan dev] Disturbing development trend

Paul Wouters paul at xelerance.com
Wed Apr 1 18:07:57 EDT 2009


On Wed, 1 Apr 2009, Jon wrote:

> OK, I got carried away with "useless".  Can you cite the RFC that mandates 
> the behaviour about which I have been complaining?  Maybe I could pester 
> him/her instead ;-)

> I played with policy adjustment to no avail before posting.  Regardless, I'm 
> not sure I agree with that.  It's hardly openswan's business to decide what 
> to do with packets if openswan cannot deliver them itself (and the null route 
> would take care of that anyway for folks who understand routing).

It is. eg RFC 2401  4.4.1

    For any outbound or
    inbound datagram, three processing choices are possible: discard,
    bypass IPsec, or apply IPsec.  The first choice refers to traffic
    that is not allowed to exit the host, traverse the security gateway,
    or be delivered to an application at all.  The second choice refers
    to traffic that is allowed to pass without additional IPsec
    protection.  The third choice refers to traffic that is afforded
    IPsec protection, and for such traffic the SPD must specify the
    security services to be provided, protocols to be employed,
    algorithms to be used, etc.

>> That is a "feature" of the NETKEY stack, not the KLIPS stack, and totally
>> out of our control. I fully agree with you here. It's the way NETKEY is
>> hacked into the networking stack that causes this.
>> 
>
> Got a URL for a workaround?  I understand it's beyond your control, but my 
> (perhaps inferior) googling has been for naught - you're the first person 
> I've come across who even knew what I was talking about.

passthrough connections. There should be examples in /etc/ipsec.d/examples/
or in the mailing list archive. A quick google gave me:
http://lists.openswan.org/pipermail/users/2007-May/012452.html

> I think the norm is to allow the admin to decide how packets (or anything 
> else, like file deletion) are dealt with on his/her machine - I think our 
> philosophies differ here...

You are suggesting to throw out all RFC's. That's fine. Just create OpenJon,
do not call it IPsec, and go implement it. Attend an IETF, and see how people
have carefully thought about every word in an RFC to see what the effects in
all situations could be, and why certain choices were made.

Paul


More information about the Users mailing list