From: Steffen Klassert <steffen.klassert@secunet.com>
To: <netdev@vger.kernel.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
David Miller <davem@davemloft.net>
Subject: IPsec workshop at netdev01?
Date: Tue, 6 Jan 2015 11:19:37 +0100 [thread overview]
Message-ID: <20150106101936.GC31458@secunet.com> (raw)
Is there any interest in doing an IPsec workshop at netdev01?
This mail is to probe if we can gather enough discussion topics to run
such a workshop. So if someone is interested to attend and/or has a
related discussion topic, please let me know.
The idea to do this workshop came yesterday, so I'm still collecting
topics I'm interested in. Some things that came immediately to my mind
are:
- Our IPsec policy/state lookups are still hashlist based on slowpath with
a flowcache to do fast lookups for traffic flows we have already seen.
This flowcache has similar issues like the ipv4 routing chache had.
Is the flowcache an appropriate lookup method on the long run or should
we at least think about an additional alternative lookup method?
- We still lack a 32/64 bit compatibiltiy layer for IPsec, this issue
comes up from time to time. Some solutions were proposed in the past
but all had problems. The current behaviour is broken if someone tries
to configure IPsec with 32 bit tools on a 64 bit machine. Can we get
this right somehow or is it better to just return an error in this case?
- Changing the system time can lead to unexpected SA lifetime changes. The
discussion on the list did not lead to a conclusion on how to fix this.
What is the best way to get this fixed?
- The IPsec policy enforcement default is to allow all flows that don't
match a policy. On systems with a high security level it might be
intersting to configurable invert the default from allow to block. With
the default to block configured, we would need allow policies for all
packet flows we accept. Some people would be even interested in a knob
to enforce a certain default behaviour until the next reboot. Is this
reasonable? How far can we get here?
- A more general thing: How complete is our IPsec implementation? Are there
things that should be implemented but we don't have it?
next reply other threads:[~2015-01-06 10:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 10:19 Steffen Klassert [this message]
2015-01-06 11:15 ` IPsec workshop at netdev01? Jamal Hadi Salim
2015-01-06 17:00 ` Florian Westphal
2015-01-07 10:31 ` Steffen Klassert
2015-01-07 12:55 ` Florian Westphal
2015-01-12 17:19 ` Nicolas Dichtel
2015-01-09 5:30 ` Fan Du
2015-01-26 9:11 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150106101936.GC31458@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).