Re: [PATCH] IPSec protocol application order

From: David S. Miller (davem@redhat.com)
Date: Wed Feb 19 2003 - 20:32:09 EST


On Wed, 2003-02-19 at 15:03, Tom Lendacky wrote:
> I apologize if I missed it, but is there another way to set policy in the
> SPD besides the setkey command? I am under the assumption that setkey's
> spdadd operation is what is to be used to define the policy on the system
> so that racoon can perform dynamic keying.

That's correct.

But there is still no issue.

The user can make his machine non-RFC compliant by giving a bogus
specification to setkey. Kernel and setkey are merely doing what
the user asks of them.

This is akin to the user writing a RAW socket application which makes
the kernel output non-RFC compliant TCP packets. Do you suggest that
the kernel or some other part of the system should verify the packets
sent through the RAW socket interface? That is exactly what you are
telling us that setkey should be doing.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Feb 23 2003 - 22:00:27 EST