Subject: Re: IPv4 fast routing versus IPSEC
To: None <firstname.lastname@example.org, email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 02/24/2003 20:06:12
On Tue, Feb 25, 2003 at 10:03:03AM +0900, email@example.com wrote:
> >>>| date: 1999/10/26 09:53:17; author: itojun; state: Exp; lines: +6 -1
> >>>| disable ipflow (IPv4 fast fowarding) when IPsec is configured into the kernel.
> >>> Why is this the case?
> ipsec policy engine is some sort of packet filter. it is not friendly
> with ipflow. for instance, if some traffic hits ipflow cache, it won't
> be encrypted.
Hm. Perhaps a good solution would be:
1) Cache policy engine decision per-flow in ipflow
2) Notify ipflow from the policy engine when new policies are loaded; even
the coarse action of clearing all current flow state should suffice, and
be better than the current state of affairs; on most systems, policies
don't change all that often.
What do you think?
Thor Lancelot Simon firstname.lastname@example.org
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud