Re: [Ipsec-tools-devel] How to send additional data from kernel to racoon?
Brought to you by:
mit_warlord,
netbsd
From: Michal L. <mi...@lo...> - 2004-11-23 11:13:50
|
On Sat, 20 Nov 2004, Aidas Kasparas wrote: > Park Lee wrote: > > > Then, I would: > > > - add field for colorcoding into SA datastructure; > > > - extend SA selection algorithm to include check for color code; > > > - if kernel will not find appropriate SA, it will send ACQUIRE > > > message, which has to be extended with required colorcode ant other > > > info you need (most likely by adding KMPRIVATE extension); > > > > But, In Appendix C: Key Management Private Data Extension(RFC2367), It > > says: The Key Management Private Data extension is attached to either an > > SADB_ADD or SADB_UPDATE message. It attaches a single piece of arbitrary > > data to a security association.... > > > > Then, Would you please tell me Can KMPRIVATE extension also be attached > > to SADB_ACQUIRE message? > > > > Technically, yes, it can be attached. Extensions are constructed the way, that > even unknown extension can be skipped over and dealt with only those, what are > known to application. On the other hand, both, kernel and racoon "normalizes" > packet first, and only then takes required information from normalized packet. > > Politically... politically maybe you'd better invent extension specifically > for your application (as there are others invented for NAT-T, etc; see > /usr/include/linux/pfkeyv2.h SADB_EXT* SADB_X_EXT* definitions) document and > implement it. Then you'll be free to define which messages it can be attached. I haven't closely followed the thread but ... how about moving from PF_KEY to NetLink in IPsec-tools on Linux? NetLink messages are more versatile I think and could better suit Park's requirements. But it's just my feeling, I don't know too much about NetLink either ;-) Michal Ludvig -- * A mouse is a device used to point at the xterm you want to type in. * Personal homepage - http://www.logix.cz/michal |