[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: issues from the bakeoff
>> Well-known CPI is not very friendly with PFKEY interface (RFC2367).
>> RFC2367 expects unique SPI per peer (which can embed CPI in lower
>> 2 bytes), but for well-known CPI we can't.
>Why is this an issue?
>You can treat the well-known CPI as a pre-added compression association,
>which, if you use SADB_GET, would reveal a match. If you tried to
>ADD/UPDATE, you'd just get EEXIST.
We need to put explicit (src, dst, cpi) set into the kernel,
as we never specify cpi/spi from policy management routines.
spi/cpi will be picked by the kernel. Therefore, we need to
configure (src, dst, cpi) explicitly (cannot be preloaded).
For inbound direction, there is no issue - we can accept any packet
with well-known CPI. For outbound direction I'm sure we have issues
to be solved.
itojun
References: