IPsec implementation key_spdacquire
Andrey V. Elsukov
ae at FreeBSD.org
Thu Oct 6 12:36:39 UTC 2016
On 06.10.2016 14:01, Rafa Marin Lopez wrote:
> In the file key.c in netipsec there is a function:
>
> key_spdacquire(struct secpolicy *sp)
>
> which is implemented but in the table:
>
>
> static int (*key_typesw[])(struct socket *, struct mbuf *, const
> struct sadb_msghdr *) = { ...
>
> NULL, /* SADB_X_SPDACQUIRE */
>
>
> Does it mean it is not usable?
>
> We are interested because we are dealing with handling IPsec by using
> SDN paradigm
> (https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-00)
> and we would need an event when a IP packet needs a policy to be
> configured for an outbound packet.
Hi,
Yes, it isn't usable.
In my understanding SADB_X_SPDACQUIRE should be used in conjunction with
SADB_X_SPDSETIDX and SADB_X_SPDUPDATE in the similar way like currently
SADB_GETSPI+SADB_ACQUIRE+SADB_UPDATE works.
Currently I have done a heavy redesign of SADB/SPDB and also just
removed SADB_X_SPDSETIDX and SADB_X_SPDACQUIRE support, since
1) it is unused;
2) I failed to find IKEd that supports it;
3) there is no code in the IPsec that assumes such usage.
My work is still in progress, currently we are doing testing. But if you
have software that will use this, I will think how to implement it.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20161006/132fdf90/attachment.sig>
More information about the freebsd-net
mailing list