From: Herbert Xu <herbert@gondor.apana.org.au> Date: Sun, 1 Jun 2003 18:06:14 +1000 On Sun, Jun 01, 2003 at 12:56:57AM -0700, David S. Miller wrote: > The idea is, if "use_time" is currently unset, the earliest > value it could possibly be set to is "now". Therefore, the > earliest a hard/soft use expiration could hit is that > many seconds from "now". > > Understood? This does mean that if a state is never used it will never expire. But I guess that's probably intended. It is exactly the intention. The use expiration is meant to expire the state X seconds after the first packet ever using that transformation is created. Conceptually, the strength of a transform is weakened once the attacker can sniff some packets using the transform and he has had this information for some amount of time. And this is what these lifetime parameters are trying to express. Thanks for working through this with me, I will apply the patch I posted to fix this. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
