[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mode (tunnel/transport) in PF_Key
On Tue, 13 Apr 1999, Markku Savela wrote:
> Whether or not to use tunnel is defined by the policy definition. IKE
> cannot change it. No PF_KEY interface is needed.
The crucial fact to understand is that PF_KEY as currently defined is
meant to be a *key management* kernel interface, not a general IPSEC
kernel interface. However, PF_KEY itself compromises somewhat on this,
by dealing with other aspects of SA creation than just keying -- aspects
which trespass into realms of (gasp!) policy -- so it is not surprising
that many people want to extend it further in that direction.
Henry Spencer
henry@spsystems.net
(henry@zoo.toronto.edu)
References: