Re: [PATCH] IPSec protocol application order

David S. Miller (davem@redhat.com)
19 Feb 2003 17:32:09 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Previous message: Roman Zippel: "Re: [RFC] Is an alternative module interface needed/possible?"
Next in thread: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Reply: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Reply: David S. Miller: "Re: [PATCH] IPSec protocol application order"

On Wed, 2003-02-19 at 15:03, Tom Lendacky wrote:
> I apologize if I missed it, but is there another way to set policy in the
> SPD besides the setkey command? I am under the assumption that setkey's
> spdadd operation is what is to be used to define the policy on the system
> so that racoon can perform dynamic keying.

That's correct.

But there is still no issue.

The user can make his machine non-RFC compliant by giving a bogus
specification to setkey. Kernel and setkey are merely doing what
the user asks of them.

This is akin to the user writing a RAW socket application which makes
the kernel output non-RFC compliant TCP packets. Do you suggest that
the kernel or some other part of the system should verify the packets
sent through the RAW socket interface? That is exactly what you are
telling us that setkey should be doing.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Previous message: Roman Zippel: "Re: [RFC] Is an alternative module interface needed/possible?"
Next in thread: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Reply: Chris Wedgwood: "Re: [PATCH] IPSec protocol application order"
Reply: David S. Miller: "Re: [PATCH] IPSec protocol application order"