Re: linux-ipsec: Re: tncfg+ifconfig adds a route under 2.2.x

Henry Spencer (henry@spsystems.net)
Tue, 24 Aug 1999 19:36:29 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bill Wilson: "How can /proc/net/dev not report bytes?"
Previous message: Guest section DW: "Re: Partitionid!"

On Tue, 24 Aug 1999, Matthew G. Marsh wrote:
> ...Using IPIP tunnelling (new_tunnel.c) behind the scenes is very bad
> practice. If you can create the ipsec device and use it a'la dummy or
> ethertap then you can have the entire thing. Backwrds compatible simply
> creates an ipip tunnel and binds it to the remote...

We'll be happy to use existing tunnel machinery if we can... but it will
take some careful study to establish that we indeed can. IPSEC imposes a
number of constraints; in particular, we have a requirement to do certain
types of checking on an incoming packet *after* it emerges from the
tunnel. (We aren't currently doing this, but that is a bug.) We may be
able to do it using the new routing machinery, but that needs to be
confirmed.

Henry Spencer
henry@spsystems.net
(henry@zoo.toronto.edu)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bill Wilson: "How can /proc/net/dev not report bytes?"
Previous message: Guest section DW: "Re: Partitionid!"