[hipl-users] Re: [Hipsec] Re: [PATCH 2.6.12.2] XFRM: BEET IPsec mode for Linux
- From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
- To: Miika Komu <miika@xxxxxx>
- Date: Thu, 4 Aug 2005 23:15:19 +1000
Hi Miika:
On Wed, Aug 03, 2005 at 11:57:24PM +0300, Miika Komu wrote:
>
> Based on the comments from Pekka Nikander, it seems like to me that
> generalizing XFRM to support AH with different inner and outer families
> may not very useful (a). On the other hand, the different inner and outer
Well to me it's more of an issue of maintainability. BEET mode is
more akin to transport/tunnel mode than AH/ESP/IPcomp. As such its
implementation would be most at home where the existing encapsulation
and decapsulation for transport/tunnel mode is done. That is, in
xfrm[46]_input.c and xfrm[46]_output.c.
For instance, the reason the current patch has to touch esp4.c at
all is really because the patch to xfrm4_output.c isn't right.
It should do what the comment says and set skb->h to the start
of the payload, not the start of the ESP header. If it did that,
then esp_output doesn't have to care about BEET at all.
Also, the outer header generation should be done before
x->type->output is called, not after. That way, the AH
semantics falls out quite naturally.
> families for BEET is *extremely* useful (b). Excluding this support from
> BEET restricts the HIP implementations and applications quite radically.
I agree with you wholeheartedly that this is extremely useful.
However, I also see nothing that's BEET-specific about this
feature.
So for the sake of the overall consistency of the IPsec stack
please keep the implementation generic instead of BEET-specific.
That is, please do it in a way so that it applies to plain
tunnel mode as well.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Other related posts:
