Subject: Re: [PATCH] IPSec protocol application order
To: "David S. Miller" <davem@redhat.com>
Cc: cw@f00f.org, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org
Message-ID: <OFEE5E8DF8.35868017-ON86256CD3.004F81AF-86256CD3.005099DD@pok.ibm.com>
From: "Tom Lendacky" <toml@us.ibm.com>
Date: Thu, 20 Feb 2003 08:40:22 -0600
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1168
Lines: 33


I believe that good documentation will also be required then.  If it is
being decided that the user must enter the ipsec protocols in the proper
order using the setkey spdadd operation, then the user will need to know
what order in which to specify the arguments to setkey.  Given that the
spdadd operation:

  spdadd src-ip dst-ip any -P out ipsec ah/transport//require
esp/transport//require;

would result in improper ordering of the AH and ESP headers and therefore
interoperability problems, while

  spdadd src-ip dst-ip any -P out ipsec esp/transport//require
ah/transport//require;

results in the proper order.

No where have I been able to find any user level documentation that says
what order the ipsec protocols need to be specified on the spdadd
operation.  Without good documentation I believe support centers, both a
customer's own and/or a distributor's, may be getting a lot of unnecessary
calls.

Tom


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/