[<prev] [next>] [thread-next>] [month] [year] [list]
Date: Thu, 01 Feb 2007 16:51:21 -0600
From: Joy Latten <latten@...tin.ibm.com>
To: netdev@...r.kernel.org
Subject: when having to acquire an SA, ipsec drops the packet
IPsec returns EAGAIN when it needs to acquire an SA.
There have been a thread or two about this...
Has there been any info or progress in how best to fix this?
James Morris presented some work/ideas,
http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf
When using labeled xfrms (xfrms that contain a security context), there
is potential for a greater amount of SAs to be created than when using
regular xfrms. An SA may be created every time a different security
context is encountered in a particular traffic stream. This could be
many if each networking app has its own security context, making current
behavior problematic.
Bugreport 225328 has been opened in the Redhat Bugzilla to address
when having to acquire an SA, ipsec drops the packet.
Regards,
Joy
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux