Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: <>
From: None <itojun@iijlab.net>
List: tech-net
Date: 09/12/2003 09:23:21
>>> i remember no ad-hoc changes to PF_KEY API/ABI made to netbsd tree.
>>> which one do you think ad-hoc?
>>> i made changes with reasons. if you call it "ad-hoc" in public it's
>>> quite a insult.
>>
>>There is a bug in the implementation PF_KEY which is triggered with
>>quite modest numbers of simultaneous SAs. Addding a kernfs hook to
>>access SAs in order to sidestep that bug is *definitionally*, ad-hoc.
>
> aha, socket buffer starvation on SADB_DUMP. i can't really do anything
> about it from PF_KEY point of view. btw, PF_KEY message is like
> SOCK_DGRAM messages, they are unreliable so it is (specwise) normal to
> lose some of the messages. therefore it is not a bug, but a feature.
and i wanted /kern/ipsec{sa,sp} for a long time, not just to workaround
the issue. it is not ad-hoc. now i would like to hear an apology for
calling it ad-hoc.
itojun