Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: None <itojun@iijlab.net>
List: tech-net
Date: 09/12/2003 09:17:50
>> i remember no ad-hoc changes to PF_KEY API/ABI made to netbsd tree.
>> which one do you think ad-hoc?
>> i made changes with reasons. if you call it "ad-hoc" in public it's
>> quite a insult.
>
>There is a bug in the implementation PF_KEY which is triggered with
>quite modest numbers of simultaneous SAs. Addding a kernfs hook to
>access SAs in order to sidestep that bug is *definitionally*, ad-hoc.
aha, socket buffer starvation on SADB_DUMP. i can't really do anything
about it from PF_KEY point of view. btw, PF_KEY message is like
SOCK_DGRAM messages, they are unreliable so it is (specwise) normal to
lose some of the messages. therefore it is not a bug, but a feature.
>I'm not 100% sure its the same bug which manifests on fast-ipsec (both
>NetBSD and FreeBSD) under the same circumstances of medium numbers of
>SAs; but the description sure sounds very similar.
the code is identical in sys/netipsec.
itojun