netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IPsec xfrm resolution

from [Patrick McHardy] [Permanent Link][Original]
To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: IPsec xfrm resolution
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Sat, 19 Feb 2005 13:29:25 +0100
Cc: Maillist netdev <netdev@xxxxxxxxxxx>
In-reply-to: <20050219092314.GA8153@gondor.apana.org.au>
References: <20050209085251.GA9030@gondor.apana.org.au> <420B9DF1.3020704@trash.net> <20050210202810.GA1609@gondor.apana.org.au> <42144C3F.2060501@trash.net> <20050217091137.GA9476@gondor.apana.org.au> <42152841.5000707@trash.net> <20050218100854.GA19427@gondor.apana.org.au> <4216D6B4.5070901@trash.net> <20050219092314.GA8153@gondor.apana.org.au>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.5) Gecko/20050106 Debian/1.7.5-1 
Herbert Xu wrote:

On Sat, Feb 19, 2005 at 07:03:32AM +0100, Patrick McHardy wrote:


- netfilter LOCAL_OUT hook sees incorrect output device
- strict source routing check done with incorrect rt_gateway



Once you take the above into account these turn out to be non-issues.
If the optional SA is transport mode, then the route is identical with
or without it.  If it's tunnel mode, then we must perform the IPIP
encapsulation regardless.

This is not what happens currently. If an optional IPCOMP SA is missing
it is skipped entirely. It is also legal to configure an optional
ah/esp tunnel, although we don't accept such packets if the SA isn't
present.

Regards
Patrick


[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [XFRM]: Fix ICMP tempsel, YOSHIFUJI Hideaki / 吉藤英明
Next by Date:  Re: [PATCH 2/3] r8169: code clean-up, Jon Mason
Previous by Thread:  Re: IPsec xfrm resolution, Herbert Xu
Next by Thread:  Re: IPsec xfrm resolution, Herbert Xu
Indexes:  [Date] [Thread] [Top] [All Lists]