-----BEGIN PGP SIGNED MESSAGE-----
On Thu, Feb 22, 2001 at 07:46:17AM -0800, Wes Hardaker wrote:
>
> [lots of stuff deleted]
>
> Richard> Treat incoming IPSEC encapsulation as an enhancement of the
> Richard> layer 2 protocol and decapsulate it at the NF_IP_PRE_ROUTING
> Richard> hook. This option is less favourable as it stands since it
> Richard> involves creating our own SPDB engine.
>
> As long as the filtering rules of the linux kernel meet the minimum
> requirements put forth in section 4.4.1 of RFC2401 (Which describes
> the SPDB), then reusing the existing kernel infrastructure is probably
> a very good thing from purely a reuse standpoint.
The only matcher which is not yet implemented is 'security level',
which is easy to do as a separate module when Linux actually
understands the concept.
Thanks!
> Wes Hardaker
> NAI Labs
> Network Associates
slainte mhath, RGB
- --
Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
<www.conscoop.ottawa.on.ca/rgb/> <www.flora.org/afo/>
Prevent Internet Wiretapping! -- FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOpWHDd+sBuIhFagtAQFkYQQAia2F2XdshYMo+w9xx/J/RAWeymwkic+u
2f7nPVUWDAutkh+t49ok0+IqA4ImChjuYGMBTVViXE0U/0RyOFceSiknnZL3QbXa
RFGFXKxgbHEZgmt6Yqj5DlqbR8LA+rK9tERYWZOO2/LtJvcCAqROVBhxJJBzTz2z
TOyqlfF1odo=
=yCD0
-----END PGP SIGNATURE-----
|