On Sun, Jun 29, 2003 at 11:54:31PM +0400, kuznet@ms2.inr.ac.ru wrote: > > Pre-resolution is just the only known universal approach. And "complexity" > is not added to KM, it must be present there in either case. It is the only > job which it is responsible for. It is true that the KM needs this logic for other purposes. In particular it needs to know how it can send ISAKMP packets to the peer. However, it does make it more complex in that a new connection could cause all existing policy templates to change. For example, suppose I have 10 IPsec policies off to 10 remote sites. Now I create an ESP tunnel to my next-hop gateway from any to any. This means that I'll need to update all policies in the SPD. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
