[Top] [All Lists]

Re: take 2 WAS(Re: PATCH: IPSEC xfrm events

To: jamal <hadi@xxxxxxxxxx>
Subject: Re: take 2 WAS(Re: PATCH: IPSEC xfrm events
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 4 Apr 2005 12:46:00 +1000
Cc: Patrick McHardy <kaber@xxxxxxxxx>, Masahide NAKAMURA <nakam@xxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>
In-reply-to: <1112582396.1096.427.camel@jzny.localdomain>
References: <1112403845.1088.14.camel@jzny.localdomain> <> <1112406164.1088.54.camel@jzny.localdomain> <> <1112469601.1088.173.camel@jzny.localdomain> <1112538718.1096.394.camel@jzny.localdomain> <> <1112579761.1096.412.camel@jzny.localdomain> <> <1112582396.1096.427.camel@jzny.localdomain>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Sun, Apr 03, 2005 at 10:39:56PM -0400, jamal wrote:
> On Sun, 2005-04-03 at 22:26, Herbert Xu wrote:
> > I think that decision should be made by the KM.  So you wouldn't do it
> > for PFKEY, but netlink should definitely do it.
> Is it possible to have non-root privileged pfkey sockets. If yes,
> then it makes sense.

Currently Linux requires CAP_NET_ADMIN for PFKEY.  However, this
may not be the case on other systems.  That's the reason why the
RFC requires that the keys not be sent via PFKEY.

However for netlink there is no such issue.

Even if we do eventually open up netlink for non-root listeners
(this will actually require structural changes to netlink itself),
we can create a new multicast group for non-privileged users that
don't get the keys.

Visit Openswan at
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page:
PGP Key:

<Prev in Thread] Current Thread [Next in Thread>