Subject: Re: Reminder that we are supporting two parallel IPsec implementations
To: None <tech-net@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-net
Date: 09/12/2003 15:56:44
On Fri, Sep 12, 2003 at 12:46:57PM -0700, Bill Studenmund wrote:
>
> Jonathan, please stop this attack on kernfs.
I think that "attack" is unreasonably strong language here.
Besides, as a project we've revisited the "can we require kernfs"
issue probably a dozen times. There's no consensus that the answer
is "yes" -- in fact, generally we hash it out in private and end
up with "no".
Furthermore:
1) PF_KEY is an interface defined by a standard. The pain of working
with systems that require nonstandard extensions in order to obtain
the standard PF_KEY functionality? I've been there, done that, and
have the scars to prove it -- no, thank you! And when N different
systems all decide to embed necessary functionality in N different
PF_KEY extension mechanisms -- ugh. This is the first skittering
step down an _extremely_ slippery slope, if you ask me -- and the
pain that this change is already causing Jonathan and Sam is pretty
good evidence that we're about to start sliding.
2) As Matt Thomas already pointed out, we have a way for network protocols
to work around the message-size issue that inspired Itojun's original
change. It would be, it seems to me, much more appropriate to use the
existing functionality than to require anyone who wants to use IPsec to
use kernfs, which would be a significant divergence from our traditional
position on that issue.
Thor