From: "David S. Miller" <[EMAIL PROTECTED]>
Date: Thu, 15 Dec 2005 17:04:56 -0800 (PST)
> I'm trying to see if there is a clever way to make existing SA
> entries get invalidated upon insertion of a new SA which "shadows"
> them.
To illustrate why this is a "hard problem", I've drawn an
extensive diagram showing the relationships. Have a look
at:
http://vger.kernel.org/~davem/xfrm_engine.png
The thing to notice immediately is that there is no arrow
going from "XFRM policy" to "XFRM SA" in any way, and vice
versa.
IPSEC routes are a product of two inputs: 1) templates specified
in the XFRM policy and 2) XFRM SA states that are found by hash
lookups into the SA databased, based upon the key calculated from
the templates. This is the work performed by xfrm_tmpl_resolve(),
when it builds the cached XFRM bundles.
So, given an arbitrary SA being added to the system, finding out
what policies or existing SAs might be changed by that is
incredibly non-trivial.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
