Subject: Re: IPsec policy cache hint
To: tech-net@NetBSD.org, Jason Thorpe <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 02/28/2004 12:10:07
-----BEGIN PGP SIGNED MESSAGE-----
For a somewhat similar situation (determining what IP source address
would be used for an IKE packet on Linux/FreeS/WAN), I had suggested an
IP-layer socket option which I called, "IP_JUST_KIDDING"
It would do *all* processing, including host-based NAT, whatever IP
source address selection rules that might be in IP(f), etc. but not send
the resulting packet at the step just before sending to the hardware TX
queue. Instead, the packet would be returned to the application for
You are basically talking about leaving appropriate space so that IPsec
doesn't have to cope with oversize packets - shouldn't that be a more
general situation - that IPsec updates the MTU of the socket itself?
Or do you want to adjust the MSS in the initial TCP exchange?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] firstname.lastname@example.org http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----