The XFRM code base looks like it needs a relatively intrusive change to support protocols like SCTP correctly. The problem is that security policies are cached on the socket level, where SCTP not only uses multiple addresses per association, but multiple associations per socket.
I believe this problem could be fixed cleanly by replacing sk_policy with a security policy context structure that could be used on a lower level basis as well. xfrm_policy_check would then be changed to accept a pointer to a security policy context instead of a socket pointer. The user specified socket level security policy (set via setsockopt(SOL_IP, IP_XFRM_POLICY)) would function as a default, by being copied down to lower level contexts as necessary.
That would allow SCTP to properly use security policies on a per association (if not per peer address) basis.
Any obvious problems with a solution like that? - Mark B. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
