> > > > > Ok, so to confirm: > > Your only issue here is that patch is that we have to split ipsec-secgw > > SADB into > > two? > > > > No objections to other part: > > - search for given SPI value across both SPDs (IPv4 and IPv6) > > - for each positive result create a new SA. > > So if we have same SPI in both IPv4 and IPv6 SPDs instead of one SA that > > would be referred by both SPD tables (current situation), > > we will create 2 independent SAs - one for IPv4, second for IPv6. > > For each one a separate rte_security/crypto session will be created and > > programmed. > > ? > > > > Because, I think that part will still be needed even when will have new SAD > > in > > place. > Agreed.
Ok, then let's postpone this patch till new SAD will be in ipsec-secgw. Konstantin
