Re: [IPSEC] Use xfrm_rcv for xfrm tunnel packets

From: Herbert Xu (herbert@gondor.apana.org.au)
Date: Thu Jul 31 2003 - 04:29:22 EST


On Wed, Jul 30, 2003 at 05:31:43PM -0700, David S. Miller wrote:
> On Tue, 29 Jul 2003 21:33:24 +1000
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> > This patch makes the xfrm_tunnel code use the same receive functions
> > as other IPSEC tunnels.
>
> Need something similar on the ipv6 side if we're going
> to seriously consider this.

I agree that we need to handle IPCOMP for IPv6 in the same way as
we do now for IPv4. However, I think that would be a different
patch.

In fact, I think that we need to preserve the guarantee that no
two addresses share the same XFRM tunnel for IPv6. To do that,
we will need to extend the SPI key in the SADB to at least 128
bits.

> So I did not want this knowledge inside of the generic xfrm_input.c
> file as a result, and that's what you're doing here :(

That makes sense. How about this patch.

Cheers,

-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Thu Jul 31 2003 - 22:00:02 EST