On Thu, Oct 09, 2008 at 04:37:13PM -0700, Darren Reed wrote:
> I don't know how long we've had bidirectional dependencies between
> ip and ipsecah, but to my way of thinking, that we do screams out loud
> that the architecture between these components is somewhat lacking.
You are correct.
> But isn't there a better way here?
There is, but there is no resources to perform it now.
> Why does IP need to call anything directly inside of IPsec?
You mean besides IPsec packet processing?!?
> Or maybe a better position to take is one of these two:
> 1) IPSec should be a part of the IP kernel module or
Part of it (the SPD) already is.
> 2) we need a better set of interfaces/architecture such
> that IP doesn't need to make calls into IPSec via functions
> like sadb_buf_pkt.
Ahh, yes. That was a fairly recent change, and wouldn't happen unless IPsec
is loaded already.
There is a need to rearchitect IPsec and IP interactions. Much of it is
still vestigal from when we needed to use STREAMS as a clever way to bypass
US Export Laws ("STREAMS is general purpose!!!").
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
