On Mon, Mar 14, 2005 at 09:51:22PM -0800, David S. Miller wrote:
> On Mon, 07 Mar 2005 04:11:17 +0100
> Patrick McHardy <kaber@xxxxxxxxx> wrote:
>
> > Herbert Xu wrote:
> > > The reason I'm asking is because the places where you're most likely
> > > to use tos/fwmark is in IPsec gateways. In other words, it isn't
> > > very useful unless it works in tunnel mode. This plus the fact
> > > that the check for tunnel mode is a bit of a hack makes me think that
> > > it's not worth it at the moment.
> >
> > Ok, let's drop it for now.
>
> Can someone send me an updated patch (with changelog msg please)?
I think the conclusion is that until we fix the bundle scalability
problem there is no point in adding tos/fwmark support here.
The reason is that if we do it now then tunnel mode SAs will potentially
be targets of DoS attacks that create a large number of bundles off
one policy. However, tunnel mode SAs would be the main users of
this feature so if we can't do it for them then we might as well not
do it.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|