Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: Bill Studenmund <>
From: Thor Lancelot Simon <>
List: tech-net
Date: 09/12/2003 16:25:20
On Fri, Sep 12, 2003 at 01:14:41PM -0700, Bill Studenmund wrote:
> > Besides, as a project we've revisited the "can we require kernfs"
> > issue probably a dozen times.  There's no consensus that the answer
> > is "yes" -- in fact, generally we hash it out in private and end
> > up with "no".
> It was my understanding that Itojun did not remove PF_KEY support, he
> added support for setkey to go looking in /kern. And /kern will get looked
> at first. How is that requiring kernfs other than the fact that kernfs
> will not be subject to difficulties present in the PF_KEY socket
> implementation?

The "difficulties" in question are a *bug* that *requires* that the
kernfs interface be used if the number of SAs to be retrieved is
sufficiently large.  In practice, that means that the only interface
you can rely on is the nonstandard extension -- not standard PF_KEY.

Matt pointed out how PF_KEY could be fixed to not have the datagram
size restriction in question.  I think that's the right thing to do; but
either way, I think any change like this really, really should be coordinated
with the fast-ipsec maintainers so that the behaviour is consistent no matter
what the kernel provider of the interface is.