From: Stephen Frost <sfrost@snowman.net>
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Cc: Wolfgang Walter <wolfgang.walter@studentenwerk.mhn.de>,
netdev@oss.sgi.com
Subject: Re: [IPSEC] Too many SADs!
Date: Tue, 22 Mar 2005 14:11:33 -0500 [thread overview]
Message-ID: <20050322191133.GD8725@ns.snowman.net> (raw)
In-Reply-To: <6298.1111517185@marajade.sandelman.ottawa.on.ca>
[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]
* Michael Richardson (mcr@sandelman.ottawa.on.ca) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Stephen" == Stephen Frost <sfrost@snowman.net> writes:
> Stephen> interfaces to the IPSEC in Linux. Additionally, the
> Stephen> problem isn't that I've got too many policies which end up
> Stephen> requiring too many SADs- the problem is that SADs are
> Stephen> being created above and beyond what's actually necessary
> Stephen> for my policies, which is a problem. I'm not entirely sure
>
> There is certainly a bug in openswan 2.3.1drX, possibly in 2.3.0,
> where more SPD entries get created than necessary.
Well, that's interesting, since my problem had been with racoon...
> This would result in many SAD entries, since the incoming SAs are not
> removed until they expire, or the remote end asks for them to be deleted.
>
> As the SAD interface in NETKEY provided by netfilter/pfkey does not
> permit any kind of "insert here" option, it is possible that there is
> some other bug whereby SAD entries multiply.
Got me, but if you're seeing this with openswan too, well, that'd be
rather interesting and might point to a problem outside of the userspace
tools...
Stephen
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2005-03-22 19:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-21 23:52 [IPSEC] Too many SADs! Wolfgang Walter
2005-03-22 16:59 ` Stephen Frost
2005-03-22 18:46 ` Michael Richardson
2005-03-22 19:11 ` Stephen Frost [this message]
2005-03-22 22:48 ` Scott Mcdermott
2005-03-23 0:33 ` Stephen Frost
2005-03-23 5:55 ` Scott Mcdermott
2005-03-28 13:33 ` Stephen Frost
2005-03-23 8:30 ` jean-mickael guerin
2005-03-23 9:57 ` KOVACS Krisztian
2005-03-23 18:15 ` Wolfgang Walter
-- strict thread matches above, loose matches on Subject: below --
2005-03-23 12:22 Wolfgang Walter
2005-03-23 12:20 Wolfgang Walter
2005-03-21 14:52 Stephen Frost
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050322191133.GD8725@ns.snowman.net \
--to=sfrost@snowman.net \
--cc=mcr@sandelman.ottawa.on.ca \
--cc=netdev@oss.sgi.com \
--cc=wolfgang.walter@studentenwerk.mhn.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.