Kacheong Poon writes: > James Carlson wrote: > > > That seems to me to get more complicated. Why should we apply more > > implementation effort to something that is intentionally narrow use. > > > Hey, I thought implementation effort did not matter as the current > proposal actually took more effort to implement than a simple > socket option ;-)
The socket option would also be radically different from what BSD has already done, and I'm not actually so sure it'd be easier to get _right_, as a well-trodden path is usually easier. > > The option just doesn't make sense to me. The only one that could > > make some sense is PF_KEY, as a full Cisco-like command line interface > > would potentially allow the user to specify the key from within the > > application (as distasteful and insecure as that may be). > > > Suppose Quaqqa has a CLI which does what Cisco's does, why a socket > option not work in this case? Can't Quagga just take the command > line input and do a setsockopt()? A socket option that just does on/off (as the previous poster was suggesting) is useless for such a CLI. A socket option that does as you're suggesting (and which is not what anyone else is suggesting -- that's not what IP_SEC_OPT does) would in fact work, as it's roughly equivalent in functionality to using PF_KEY directly. (Which, really, I don't think is that hard anyway.) -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
