Re: IPsec: duplicate sysctls

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Tue, Mar 06, 2018 at 08:40:47PM +0100, Maxime Villard wrote:
> Le 05/03/2018 à 22:06, Joerg Sonnenberger a écrit :
> > On Mon, Mar 05, 2018 at 08:44:32AM +0100, Maxime Villard wrote:
> > > As Ryota Ozaki noted a week ago, there are several duplicate sysctls
> > > 
> > > 	net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
> > > 	net.inet.esp.net_deflev   = net.inet.ipsec.esp_net_deflev
> > > 	net.inet.ah.cleartos      = net.inet.ipsec.ah_cleartos
> > > 	net.inet.ah.offsetmask    = net.inet.ipsec.ah_offsetmask
> > > 	net.inet.ah.trans_deflev  = net.inet.ipsec.ah_trans_deflev
> > > 	net.inet.ah.net_deflev    = net.inet.ipsec.ah_net_deflev
> > > 
> > > Under net.inet6 there are no duplicates, we use the convention on the
> > > right here.
> > > 
> > > But I believe the one on the left is the best one. I guess it is fine to
> > > switch everything to the left one and remove the duplicates?
> > 
> > I do prefer the convention on the right, "esp" or "ah" by itself is not
> > necessary a direct assocation with IPsec.
> 
> These sysctls are to be used when IPsec is enabled; so if someone is using
> IPsec but has no idea what "ah" or "esp" means, this someone has a problem
> in the first place.

They exist on any system with IPsec support in the kernel. Someone
looking at "sysctl -a" has a right to have an idea what this is about as
well. The chance that someone has heard about IPsec is much higher than
having heard about AH or ESP.

Joerg