> GW: from what I can gather policy is a bit more > flexible. There is an > interesting property of linux ipsec that came up when > Ted and Joe were > visiting; apparently when you have negotiated > connection, the first > packet gets dropped. most people don't care, but I was > just hopping > everyone is aware of this. since we are negotiating > lots of connections, > customers might see this as non desirable especially > BSD ipsec doesn't > do this > SG: is it tcp or udp packet? > JL: does this regardless of packet type > KW: what happens it returns "temporarily unavailable". > it is better if it > drops the packet rather than returning error > SG: I think you are saying you do want to fix this > GW: yes, I think it will be desirable to fix it. > SG: we need a bugzilla > GW: I asked joy to open one but wanted to get your read on it > SG: I don't think it is desirable to return an error. so > maybe it is a flag > that can be set to not let it do that. Either way, > first step is to open > a bugzilla so that people can evaluate it. also a test > case on how to > setup and maybe strace output if needed. > GW: can you provide that joy > JL: yes > SG: if you can do it simply that would be better that > the lspp setup we > currently have > GW: thanks steve. I wasn't even aware of this property. > it will affect > customers in this environment.
I think this problem was discussed at netconf 2006 by James Morris: http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
