[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 03132) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?

To: Park Lee <parklee_sel@xxxxxxxxx>
Subject: (usagi-users 03132) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
From: Aidas Kasparas <a.kasparas@xxxxxx>
Date: Sat, 20 Nov 2004 21:12:02 +0200
Cc: ipsec-tools-devel@xxxxxxxxxxxxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
In-reply-to: <20041120183244.13340.qmail@web51504.mail.yahoo.com>
References: <20041120183244.13340.qmail@web51504.mail.yahoo.com>
Reply-to: usagi-users@xxxxxxxxxxxxxx
Resent-date: Sun, 21 Nov 2004 09:57:29 +0900
Resent-from: sekiya@xxxxxxxxxxxxxx
Resent-message-id: <200411210957.FMLAAB27684.usagi-users@linux-ipv6.org>
Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
User-agent: Mozilla Thunderbird 0.8 (X11/20040918)

Park Lee wrote:

>Then, I would: > - add field for colorcoding into SA datastructure; > - extend SA selection algorithm to include check for color code; > - if kernel will not find appropriate SA, it will send ACQUIRE > message, which has to be extended with required colorcode ant other > info you need (most likely by adding KMPRIVATE extension); But, In Appendix C: Key Management Private Data Extension(RFC2367), It says: The Key Management Private Data extension is attached to either an SADB_ADD or SADB_UPDATE message. It attaches a single piece of arbitrary data to a security association.... Then, Would you please tell me Can KMPRIVATE extension also be attached to SADB_ACQUIRE message?

Technically, yes, it can be attached. Extensions are constructed the way, that even unknown extension can be skipped over and dealt with only those, what are known to application. On the other hand, both, kernel and racoon "normalizes" packet first, and only then takes required information from normalized packet.

Politically... politically maybe you'd better invent extension specifically for your application (as there are others invented for NAT-T, etc; see /usr/include/linux/pfkeyv2.h SADB_EXT* SADB_X_EXT* definitions) document and implement it. Then you'll be free to define which messages it can be attached.

--
Aidas Kasparas
IT administrator
GM Consult Group, UAB

Follow-Ups:
- (usagi-users 03144) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
  - From: Michal Ludvig
- (usagi-users 03137) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
  - From: Park Lee

References:
- (usagi-users 03135) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
  - From: Park Lee

Prev by Date: (usagi-users 03136) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
Next by Date: (usagi-users 03137) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
Previous by thread: (usagi-users 03135) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
Next by thread: (usagi-users 03137) Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
Index(es):
- Date
- Thread