On 06.10.2016 14:01, Rafa Marin Lopez wrote:
> In the file key.c in netipsec there is a function:
>
> key_spdacquire(struct secpolicy *sp)
>
> which is implemented but in the table:
>
>
> static int (*key_typesw[])(struct socket *, struct mbuf *, const
> struct sadb_msghdr *) = { ...
>
> NULL, /* SADB_X_SPDACQUIRE */
>
>
> Does it mean it is not usable?
>
> We are interested because we are dealing with handling IPsec by using
> SDN paradigm
> (https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-00)
> and we would need an event when a IP packet needs a policy to be
> configured for an outbound packet.Hi, Yes, it isn't usable. In my understanding SADB_X_SPDACQUIRE should be used in conjunction with SADB_X_SPDSETIDX and SADB_X_SPDUPDATE in the similar way like currently SADB_GETSPI+SADB_ACQUIRE+SADB_UPDATE works. Currently I have done a heavy redesign of SADB/SPDB and also just removed SADB_X_SPDSETIDX and SADB_X_SPDACQUIRE support, since 1) it is unused; 2) I failed to find IKEd that supports it; 3) there is no code in the IPsec that assumes such usage. My work is still in progress, currently we are doing testing. But if you have software that will use this, I will think how to implement it. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
