Subject: Re: IPv4 fast routing versus IPSEC
To: None <,>
From: Thor Lancelot Simon <>
List: tech-net
Date: 02/24/2003 20:06:12
On Tue, Feb 25, 2003 at 10:03:03AM +0900, wrote:
> >>>| date: 1999/10/26 09:53:17;  author: itojun;  state: Exp;  lines: +6 -1
> >>>| disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel.
> >>> Why is this the case?
> 	ipsec policy engine is some sort of packet filter.  it is not friendly
> 	with ipflow.  for instance, if some traffic hits ipflow cache, it won't
> 	be encrypted.

Hm.  Perhaps a good solution would be:

1) Cache policy engine decision per-flow in ipflow
2) Notify ipflow from the policy engine when new policies are loaded; even
   the coarse action of clearing all current flow state should suffice, and
   be better than the current state of affairs; on most systems, policies
   don't change all that often.

What do you think?

 Thor Lancelot Simon	                            
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud