Brian and me were discussing offline about the issue of structuring the policies in a better way than a list, so that some kind of automation in dealing with them would be possible.
The basic question that we tried to find an answer to was what should be done if more a datagram matches more policies and more specifically how the "best" policy in the SPD rather the first policy in the SPD list could be determined.
We didn't necessarily made much progress, but if enough people consider this an interesting topic, then we could get back online.
Brian Buesker wrote:
One other topic that was discussed on the ipsec-tools-devel mailing list was how support for specifying the priority for an SPD entry should be added to the PF_KEY interface. Such a priority is already supported in the XFRM interface, and it can be used to insert a policy into the SPD at locations other than the end.
The two possible approaches that have been suggested are:
1. Use the sadb_x_policy_reserved2 field of struct sadb_x_policy to indicate the priority.
2. Use the SADB_X_SPDSETIDX message to do this by defining a new message format that includes the priority (and optionally an interface index as well since this is also supported by the XFRM interface).
Are there opinions on which approach is preferrable? Is there a reason why the reserved2 field should not be used? Also, is SADB_X_SPDSETIDX intended to insert a policy or change the location of an existing one? Currently messages of this type just use pfkey_spdadd, so it seems that this message type could be used as an alternate way of inserting SPD entries when the priority and interface index are desired.
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html