Subject: Re: kern/25368: crash after SADB_X_SPDFLUSH
To: None <yamt@mwd.biglobe.ne.jp>
From: None <itojun@iijlab.net>
List: tech-net
Date: 05/10/2004 18:21:32
>is it ok to commit the following workaround for now?

	ok.  actually kame repository has the same workaround.

>btw, per-pcb policies are marked as DEAD but no one check it.
>is it intended?

	hmm, thanks for pointing it up.  interesting problem.

>i couldn't find any policy API documentation which tells
>how SADB_X_SPDDELETE2 and SADB_X_SPDFLUSH should or shouldn't
>affect per-pcb policies and how policy ids should be used.

	per-pcb policies should not be manipulated via PF_KEY.

	policy IDs are there so that IKE daemon can identify which policy
	have triggered ipsec key exchange.  with current policy table
	which has lookup ordering, netmask notation and pcb policy,
	it is very difficult for IKE daemon to identify which policy was
	the trigger.

	and yes, IPsec API as a whole (not just policy but also key management)
	need more documentation.

itojun