From: Daniil Stolnikov <danila.st@mail.ru>
To: David Miller <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
<linux-crypto@vger.kernel.org>,
<linux-security-module@vger.kernel.org>, <davem@davemloft.net>,
<adobriyan@gmail.com>, <peter.p.waskiewicz.jr@intel.com>
Subject: Re: Add IPSec IP Range in Linux kernel
Date: Wed, 9 Nov 2011 09:36:07 +0800 [thread overview]
Message-ID: <1289495586.20111109093607@mail.ru> (raw)
In-Reply-To: <20111108.121620.2044664919065812135.davem@davemloft.net>
> From: Daniil Stolnikov <danila.st@mail.ru>
> Date: Tue, 08 Nov 2011 12:40:13 +0400
>> I turned to you, the developers, but rather to urge you to implement
>> this feature using IP range.
> This won't be implemented, the keys used for IPSEC rule lookups supported by
> the kernel are already way too complex.
> From: Alexey Dobriyan <adobriyan@gmail.com>
> Date: Tue, 8 Nov 2011 14:08:24 +0200
>> changing addr_match() is trivial for ipv4 and easy for ipv6. :-)
> No, this is not happening. This added complexity screws up all the hash table
> and lookup optimizations we have in the XFRM layer.
I never imagined that it will cause some difficulties. Several questions arise:
1) How complex is this implementation?
2) How to do this time?
3) Will this feature is implemented vsetaki? If so, how soon and what will it take?
> Ranges can be synthesized by userspace, and that's the way it has to
> be supported.
That is, you want to say that all this can be done at the user level? How so?
In general, if there are alternative implementations of this feature without support at the kernel level? What are some loopholes, tricks? It is meant to create multiple connections to the same subnet subranges without the use of masks such as / 29. Perhaps this can be achieved through l2tp? There, in the present setup IP range. Or is it both?
next prev parent reply other threads:[~2011-11-09 1:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-08 3:10 Add IPSec IP Range in Linux kernel Daniil Stolnikov
2011-11-08 6:24 ` Peter P Waskiewicz Jr
2011-11-08 10:51 ` Daniil Stolnikov
2011-11-08 12:08 ` Alexey Dobriyan
2011-11-08 14:24 ` Daniil Stolnikov
2011-11-08 17:16 ` David Miller
2011-11-09 1:36 ` Daniil Stolnikov [this message]
2011-11-09 1:42 ` David Miller
2011-11-09 1:54 ` Herbert Xu
2011-11-09 2:43 ` Daniil Stolnikov
2011-11-09 2:32 ` Daniil Stolnikov
2011-11-09 3:27 ` Herbert Xu
2011-11-09 7:25 ` Daniil Stolnikov
[not found] ` <E1RNhE5-0005rf-00.danila-st-mail-ru@f105.mail.ru>
2011-11-08 17:15 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1289495586.20111109093607@mail.ru \
--to=danila.st@mail.ru \
--cc=adobriyan@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peter.p.waskiewicz.jr@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).