Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: None <>
From: Thor Lancelot Simon <>
List: tech-net
Date: 09/12/2003 15:56:44
On Fri, Sep 12, 2003 at 12:46:57PM -0700, Bill Studenmund wrote:
> Jonathan, please stop this attack on kernfs.

I think that "attack" is unreasonably strong language here.

Besides, as a project we've revisited the "can we require kernfs"
issue probably a dozen times.  There's no consensus that the answer
is "yes" -- in fact, generally we hash it out in private and end
up with "no".


1) PF_KEY is an interface defined by a standard.  The pain of working
   with systems that require nonstandard extensions in order to obtain
   the standard PF_KEY functionality?  I've been there, done that, and
   have the scars to prove it -- no, thank you!  And when N different
   systems all decide to embed necessary functionality in N different
   PF_KEY extension mechanisms -- ugh.  This is the first skittering
   step down an _extremely_ slippery slope, if you ask me -- and the
   pain that this change is already causing Jonathan and Sam is pretty
   good evidence that we're about to start sliding.

2) As Matt Thomas already pointed out, we have a way for network protocols
   to work around the message-size issue that inspired Itojun's original
   change.  It would be, it seems to me, much more appropriate to use the
   existing functionality than to require anyone who wants to use IPsec to
   use kernfs, which would be a significant divergence from our traditional
   position on that issue.