Re: take 2 WAS(Re: PATCH: IPSEC xfrm events

netdev

Re: take 2 WAS(Re: PATCH: IPSEC xfrm events

To:	jamal <hadi@xxxxxxxxxx>
Subject:	Re: take 2 WAS(Re: PATCH: IPSEC xfrm events
From:	Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:	Mon, 4 Apr 2005 12:46:00 +1000
Cc:	Patrick McHardy <kaber@xxxxxxxxx>, Masahide NAKAMURA <nakam@xxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, netdev <netdev@xxxxxxxxxxx>
In-reply-to:	<1112582396.1096.427.camel@xxxxxxxxxxxxxxxx>
References:	<1112403845.1088.14.camel@xxxxxxxxxxxxxxxx> <20050402012813.GA24575@xxxxxxxxxxxxxxxxxxx> <1112406164.1088.54.camel@xxxxxxxxxxxxxxxx> <20050402014619.GB24861@xxxxxxxxxxxxxxxxxxx> <1112469601.1088.173.camel@xxxxxxxxxxxxxxxx> <1112538718.1096.394.camel@xxxxxxxxxxxxxxxx> <20050404005805.GA16543@xxxxxxxxxxxxxxxxxxx> <1112579761.1096.412.camel@xxxxxxxxxxxxxxxx> <20050404022601.GA17293@xxxxxxxxxxxxxxxxxxx> <1112582396.1096.427.camel@xxxxxxxxxxxxxxxx>
Sender:	netdev-bounce@xxxxxxxxxxx
User-agent:	Mutt/1.5.6+20040907i

On Sun, Apr 03, 2005 at 10:39:56PM -0400, jamal wrote:
> On Sun, 2005-04-03 at 22:26, Herbert Xu wrote:
>
> > I think that decision should be made by the KM.  So you wouldn't do it
> > for PFKEY, but netlink should definitely do it.
> 
> Is it possible to have non-root privileged pfkey sockets. If yes,
> then it makes sense.

Currently Linux requires CAP_NET_ADMIN for PFKEY.  However, this
may not be the case on other systems.  That's the reason why the
RFC requires that the keys not be sent via PFKEY.

However for netlink there is no such issue.

Even if we do eventually open up netlink for non-root listeners
(this will actually require structural changes to netlink itself),
we can create a new multicast group for non-privileged users that
don't get the keys.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: PATCH: IPSEC xfrm events, (continued) Re: PATCH: IPSEC xfrm events, Herbert Xu take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Patrick McHardy Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu <= Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, jamal Re: take 2-2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu

Previous by Date:	Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal
Next by Date:	Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, Herbert Xu
Previous by Thread:	Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal
Next by Thread:	Re: take 2 WAS(Re: PATCH: IPSEC xfrm events, jamal
Indexes:	[Date] [Thread] [Top] [All Lists]