On Sat, Jun 07, 2003 at 01:55:11AM -0700, David S. Miller wrote: > > Would you object if I added use_time expiration for the SPD? > > It doesn't make any sense, use_time's protect the integrity of the > encryption algorithm, policies do not describe the encryption > algorithms. For policies use_time can be used to detect/delete unused policies. In fact, the way use_time is updated in xfrm_policy.c already allows this to happen. With Opportunistic Encryption, the system will need to add one ALLOW policy for each destination that fails to negotiate OE. On a busy host, this would eventually lead to a large policy table. FreeSWAN scans the SPD regularly to delete unused ALLOW policies. If we implemented use_time expiration in the SPD, then this could be avoided as the kernel can simply remove unused policies after a set time and then inform user space about it. Another application would be for detecting dead IPsec peers. By setting a soft use_time limit on an incoming policy, you can detect connections that haven't received traffic for a while and take the appropriate action (e.g., send pings and ultimately tear down the connection). -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
