>>>>> "Paul" == Paul Wouters <p...@cypherpunks.ca> writes: Paul> That seems more predictable and stable then "whatever Paul> connection loaded Paul> first"?
1) Please don't confuse the Linux NETKEY/XFRM's API with RFC4301. RFC4301 says that the admin controls the order of the policies, while XFRM does not give the admin any real control, and embeds policies in the kernel in a really really really bad way, rather than in a policy daemon. 2) Please don't confuse KLIPS with RFC4301. KLIPS implements the policy, and yes, it uses longest-prefix match for destination, then source, then port ranges, etc. in essentially the way that the decorelation algorithm describes. The de-corelation algorithm with independantly invented by Luis Sanchez/BBN, myself and others, around the time of RFC2401 hitting the press. 3) Pluto actually provides an ordering mechanism between policies which is the ordering mechanism for policies as specified in 4301. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
pgpKigDpdw5O0.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec