[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 03463) Re: Showstopper for transport mode IPSec in Linux kernel?
- To: Mitsuru KANDA / 神田 充 <mk@xxxxxxxxxx>
- Subject: (usagi-users 03463) Re: Showstopper for transport mode IPSec in Linux kernel?
- From: "Peder Chr. Norgaard" <Peder.Chr.Norgaard@xxxxxxxxxxxx>
- Date: Thu, 4 Aug 2005 10:51:14 +0200 (CEST)
- Cc: usagi-users@xxxxxxxxxxxxxx
- In-reply-to: <87pssviefp.wl%mk@karaba.org>
- References: <Pine.LNX.4.58.0508031009000.20068@nellike.ted.dk.eu.ericsson.se> <87pssviefp.wl%mk@karaba.org>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
On Wed, 3 Aug 2005, Mitsuru KANDA / [ISO-2022-JP] ¿ÀÅÄ ½¼ wrote:
> Just FYI.
>
> Please see 'ARP-like resolution of IPSEC rules' in http://vger.kernel.org/~davem/net_todo.html
Thanks for the pointer. It is a big relief for me to see that the problem
is known and acknowledged.
>
> At Wed, 3 Aug 2005 10:18:39 +0200 (CEST),
> "Peder Chr. Norgaard" <Peder.Chr.Norgaard@xxxxxxxxxxxx> wrote:
> >
> > I sent the mail below to this list some weeks ago, and I am a little
> > surprised that there has been no response. The problem is actually quite
> > serious, and it is specific for the Linux kernel implementation of IPsec -
> > I have talked with people who claim that the problem is not present in
> > *bsd kernels, for instance.
>
> BSD(aka kame impl.) just discards the first packet before keyring
> negotiation done.
Yes, that is one way of solving the problem. In my book this technique is
OK - it has the advantage of simplicity. The queueing technique that is
described in the reference you give is bound to be more complex to get
right.
Thanks again
--
Peder Chr. Nørgaard Senior System Developer, M. Sc.
Ericsson Denmark A/S, Telebit Division
Skanderborgvej 232 tel: +45 30 91 84 31
DK-8260 Viby J, Denmark fax: +45 89 38 51 01
e-mail: Peder.Chr.Norgaard@xxxxxxxxxxxx
(old e-mail 2000-2003: Peder.C.Norgaard@xxxxxxxxxxxxxxx)
(old e-mail 1992-2000: pcn@xxxxxxx)