Subject: Re: ipsec pcb/socket passing
To: Jun-ichiro itojun Hagino <itojun@itojun.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-net
Date: 08/25/2003 15:40:25
On Tue, 26 Aug 2003, Jun-ichiro itojun Hagino wrote:

> > Also, totally unrelated note, what happens if you're an IPsec gateway? Say
> > you're doing ESP tunnel mode for a number of protected boxes. And you have
> > nothing running that has an open port covered by the IPsec policy (or you
> > have port-specific policy and nothing's open on that port). Do you really
> > have a socket sitting around to hang the IPsec info off of, even though
> > there's nothing in userland around to hook to it?
>
> 	there are two places you can put policies - one is on socket via ioctl,
> 	another is on packet filter-like (setkey).  IPsec gateway case falls
> 	into the latter, and there'll be no socket for those policies.

So we'd be passing NULL as the socket in that case?

Take care,

Bill