Kacheong Poon writes: > James Carlson wrote: > > > The socket option would also be radically different from what BSD has > > already done, and I'm not actually so sure it'd be easier to get > > _right_, as a well-trodden path is usually easier. > > > By "BSD," you meant the OpenBSD distro, right?
Yes. > > A socket option that does as you're suggesting (and which is not what > > anyone else is suggesting -- that's not what IP_SEC_OPT does) would in > > fact work, as it's roughly equivalent in functionality to using PF_KEY > > directly. (Which, really, I don't think is that hard anyway.) > > > I was trying to point out that using IPsec policy engine and > PF_KEY is not the only workable way to get TCP MD5 into Solaris. > The arguments so far seem to suggest that the proposal is the only > workable way. I don't think that's true at all. We've all agreed that both an IPsec approach and an ad-hoc socket option could be made to work. The questions are about which is easier, which works better with applications, and which is more like other implementations (and thus more consistent). The answers aren't perfect, but I think the IPsec mechanism has an edge. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
