Hello! > The network 10.10.10.0/24 is the trusted network T. Any packets > with source addresses in T via the ESP tunnel are genuine. What does make it "trusted"? I do not see any references to this subnet in the description. It is not wonderful that such trusted network turns out to be untrusted eventually. :-) > if we sacrifice a bit of elegance and allow the eligible IPIP > tunnel to match the IPCOMP SA. Actually, you have already sacrificed all the elegance earlier. :-) > which currently can only be achieved with multiple SAs unless you > make the selector wider than it should be. Despite of ironical comments above, I understand that it is real source of pain. OK, let's split the problem: 1. Enforcing single subnet selector on SA is evil. Agreed and ready to accept any solution for this, including even your one, despye of it is very indirect. 2. That T subnet... I do not understand, if it is "trusted", you have some policy for this which asserts this trust. How could spoofed packets pass through this policy? Please, understand, I still think you are going to take a magic cure, which would make feel you healthy both wrt 1 and 2. But it will not unless you have the picture clean. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
