From: Brian B. <bbu...@qu...> - 2004-02-12 20:11:13
|
I'd like to request two enhancements to ipsec-tools. I might eventually be able to do them myself, but since I'm not sure if or when I'd be able to do so, so I thought I'd send out the requests anyone to see if anyone is willing to work on it. First, it'd be nice if both racoon and setkey used the netlink interface instead of PF_KEY. My main reason for asking this is because the netlink interface supports priorities for SPD policies. These priorities can be used to determine where in the security policy list a new policy is inserted. Without being able to specify a priority, policies always get inserted at the end of the list. Thus if you ever want to insert a more specific policy before a more general one, there is no way to do this that does not involve removing the general one. The other enhancement which would be useful would be a way for sainfo sections to be added dynamically at runtime without requiring racoon to be restarted (ie. via SIGHUP), maybe through the admin interface. By doing this, you could add new policies dynamically and also be able to configure the security parameters for these new policies without restarting racoon. These are just suggestions, but I do think they could make ipsec-tools more useful in dynamic situations. Brian |