Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: Jason Thorpe <>
From: Bill Studenmund <>
List: tech-net
Date: 09/12/2003 14:35:13
On Fri, 12 Sep 2003, Jason Thorpe wrote:

> On Friday, September 12, 2003, at 01:28  PM, Bill Studenmund wrote:
> > Ok, maybe I'm on the wrong page. I assumed that Itojun _added_ kernfs
> > supoprt, and that if kernfs wasn't there, we'd use PF_KEY instead. Is
> > that
> > assumption correct or incorrect?
> That is correct.  However, the PF_KEY interface was a second-class
> citizen to the kernfs interface, since the PF_KEY interface has a
> restriction that the kernfs interface does not have.
> That means that kernfs WOULD BE REQUIRED to support large numbers of
> IPsec SAs.

So? You're saying that kernfs does somethign well, and is the best choice
in certain circumstances? So why not use it? If that means it's what's
needed (i.e. required), then so be it. We can see what we think about it,
and go from there.

As long as kernfs is never allowed to be good at something, it will never
be good at anything.

Take care,