On Mon, May 17, 2004 at 03:59:30PM -0400, der Mouse wrote:
> My dear Mr. Stone,
> 
> > Please read for comprehension.
> 
> I believe I did.  Apparently, though, either you didn't or I failed to
> write sufficiently clearly for (your) comprehension.

I think you don't understand the relevant history here.

The PF_KEY interface is _broken_ due to a bug in the kernel code for
marshalling SAs into sequences of messages.  Rather than fix that,
some months ago a developer chose to make kernfs _required_ for correct 
operation instead.

Now you can use kernfs (which is optional) or sysctl (which isn't, but
which is *not* the standards-defined interface for this task) but you
still can't use PF_KEY.

This is what many developers who have looked at this question find broken,
even in some cases offensive.  kernfs is an *optional* system component.
Requiring it for correct operation is *just not okay*, and forcing a new
network stack to implement a kernfs hack around PF_KEY being buggy so that
it's compatible with the old broken implementation of this stuff is... not
good.