[Ipsec-tools-devel] RFE: Netlink interface and dynamic addition of sainfo sections

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'd like to request two enhancements to ipsec-tools. I might eventually 
be able to do them myself, but since I'm not sure if or when I'd be able 
to do so, so I thought I'd send out the requests anyone to see if anyone 
is willing to work on it.

First, it'd be nice if both racoon and setkey used the netlink interface 
instead of PF_KEY. My main reason for asking this is because the netlink 
interface supports priorities for SPD policies. These priorities can be 
used to determine where in the security policy list a new policy is 
inserted. Without being able to specify a priority, policies always get 
inserted at the end of the list. Thus if you ever want to insert a more 
specific policy before a more general one, there is no way to do this 
that does not involve removing the general one.

The other enhancement which would be useful would be a way for sainfo 
sections to be added dynamically at runtime without requiring racoon to 
be restarted (ie. via SIGHUP), maybe through the admin interface. By 
doing this, you could add new policies dynamically and also be able to 
configure the security parameters for these new policies without 
restarting racoon.

These are just suggestions, but I do think they could make ipsec-tools 
more useful in dynamic situations.

Brian