On Tue, 6 Mar 2007, Joy Latten wrote:
> > I saw something similar to this some time ago when testing various
> > failure modes, and discused it with Herbert.
> >
> > IIRC, there's a larval SA which is not torn down properly by Racoon once
> > the full SA is established, and the larval SA keeps
On Mon, 2007-03-05 at 22:21 -0500, James Morris wrote:
> On Mon, 5 Mar 2007, Joy Latten wrote:
>
> > 5. Around the time the set of SAs for OUT direction are to be
> >inserted into SAD, I see another ACQUIRE happening.
> >
> >I have not yet figured out where this second ACQUIRE comes fr
On Mon, 5 Mar 2007, Joy Latten wrote:
> 5. Around the time the set of SAs for OUT direction are to be
>inserted into SAD, I see another ACQUIRE happening.
>
>I have not yet figured out where this second ACQUIRE comes from
>and why it happens. As long as the minimal SA or set of val
>From: Joy Latten <[EMAIL PROTECTED]>
>Date: Mon, 05 Feb 2007 14:53:39 -0600
>
>> I can run some tests with this patch and report any results...
>
>Please check out the two most recent patches I posted:
>
>1) Updated core patch with ipv6 side added.
>2) Fix for thinko noticed by Venkat.
I have be
>From: Joy Latten <[EMAIL PROTECTED]>
>Date: Mon, 05 Feb 2007 14:53:39 -0600
>
>> I can run some tests with this patch and report any results...
>
>Please check out the two most recent patches I posted:
>
>1) Updated core patch with ipv6 side added.
>2) Fix for thinko noticed by Venkat.
Just a qu
From: Joy Latten <[EMAIL PROTECTED]>
Date: Mon, 05 Feb 2007 14:53:39 -0600
> I can run some tests with this patch and report any results...
Please check out the two most recent patches I posted:
1) Updated core patch with ipv6 side added.
2) Fix for thinko noticed by Venkat.
Thanks.
-
To unsub
From: "Venkat Yekkirala" <[EMAIL PROTECTED]>
Date: Mon, 5 Feb 2007 14:49:17 -0600
> > Something like this (untested) on the ipv4 side, for example:
> >
> > diff --git a/include/net/route.h b/include/net/route.h
> > index 486e37a..a8af632 100644
> > --- a/include/net/route.h
> > +++ b/include/net/
I can run some tests with this patch and report any results...
Regards,
Joy
On Sun, 2007-02-04 at 20:53 -0800, David Miller wrote:
> From: James Morris <[EMAIL PROTECTED]>
> Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST)
>
> > A quick & dirty solution, which is what I think the BSD kernels do, is t
From: James Morris <[EMAIL PROTECTED]>
Date: Mon, 5 Feb 2007 15:34:39 -0500 (EST)
> On Mon, 5 Feb 2007, James Morris wrote:
>
> > On Sun, 4 Feb 2007, David Miller wrote:
> >
> > > Something like this (untested) on the ipv4 side, for example:
> >
> > Looks like it should work. Will do some test
On Thu, 2007-02-01 at 18:44 -0500, James Morris wrote:
> On Thu, 1 Feb 2007, Joy Latten wrote:
>
> > IPsec returns EAGAIN when it needs to acquire an SA.
> > There have been a thread or two about this...
> > Has there been any info or progress in how best to fix this?
> >
> > James Morris present
> Something like this (untested) on the ipv4 side, for example:
>
> diff --git a/include/net/route.h b/include/net/route.h
> index 486e37a..a8af632 100644
> --- a/include/net/route.h
> +++ b/include/net/route.h
> @@ -146,7 +146,8 @@ static inline char rt_tos2priority(u8 tos)
>
> static inline i
On Mon, 5 Feb 2007, James Morris wrote:
> On Sun, 4 Feb 2007, David Miller wrote:
>
> > Something like this (untested) on the ipv4 side, for example:
>
> Looks like it should work. Will do some testing.
Appears to work well, with a slight delay on the first packet as expected.
Tested with tc
On Sun, 4 Feb 2007, David Miller wrote:
> Something like this (untested) on the ipv4 side, for example:
Looks like it should work. Will do some testing.
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL P
From: James Morris <[EMAIL PROTECTED]>
Date: Thu, 1 Feb 2007 18:44:48 -0500 (EST)
> A quick & dirty solution, which is what I think the BSD kernels do, is to
> still drop the packet but just not return an error to the app. The app
> then just sees a slight delay on the initial connection, as if
On Thursday, February 1 2007 6:44 pm, James Morris wrote:
> On Thu, 1 Feb 2007, Joy Latten wrote:
> > When using labeled xfrms (xfrms that contain a security context), there
> > is potential for a greater amount of SAs to be created than when using
> > regular xfrms. An SA may be created every time
On Thu, 1 Feb 2007, Joy Latten wrote:
> IPsec returns EAGAIN when it needs to acquire an SA.
> There have been a thread or two about this...
> Has there been any info or progress in how best to fix this?
>
> James Morris presented some work/ideas,
> http://vger.kernel.org/jmorris_ipsec_sa_resolut
context, making current
behavior problematic.
Bugreport 225328 has been opened in the Redhat Bugzilla to address
when having to acquire an SA, ipsec drops the packet.
Regards,
Joy
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL
17 matches
Mail list logo
