You can enforce the ordering exactly when the xfrm templates
are built, this ensures that any fully resolved xfrm state
created from them have the correct ordering as well.
As for the ordering of the modes (transport then tunnel) and the ordering
of the protocols within transport mode (IPCOMP then ESP then AH) I see
where that fix can be incorporated (in parse_ipsecrequests of af_key.c).
My question is should I do any ordering of the protocols within tunnel
mode. While the ordering within transport mode is specified in the RFCs
(2401 and 3173), tunnel mode has no such requirement that I can tell. Any
suggestions or should the order just be how the request is received by the
pfkey interface?
Also, the general direction I am looking at for the fix is to loop through
the requests multiple times processing IPCOMP transport first, then ESP
transport, then AH transport, and then the tunnel mode protocols.
Tom
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/