Hello! > Please let me know of your opinion on this. I still do not know. My feeling is that this hack is a pathology, not related to the issue which it is supposed to fix at all. At least, I do not see such a connection. Effects of the fix are huge, complete and precise synchronization of policies over all the participants becomes a must, everything becomes utterly fragile, at least, at the first sight. I do not see why sender cannot use an ESP SA if such a SA is avaliable. I do not understand why receiver should drop encrypted packets, when sender did a ping -P xxx. I do not understand how end-to-end security can be weakened by some additional transformations. Taking into account that I do not have alternative suggestion (well, except for one with selectors), I cannot object. However, I think this approach requires some additional elements to become more or less sane: something to allow to ignore irrelevant transformations, do-not-care policy, maybe, something hardcoded, sort of ignoring all the transformations when inner one authenticates end-to-end, think about this. Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
