lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 21 Nov 2013 13:17:32 +0100
From:	Steffen Klassert <steffen.klassert@...unet.com>
To:	Fan Du <fan.du@...driver.com>
Cc:	Saurabh Mohan <saurabh.mohan@...cade.com>,
	Christophe Gouault <christophe.gouault@...nd.com>,
	"David S. Miller" <davem@...emloft.net>,
	Herbert Xu <herbert@...dor.hengli.com.au>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	Sergei Shtylyov <sergei.shtylyov@...entembedded.com>,
	Eric Dumazet <eric.dumazet@...il.com>
Subject: Re: [PATCH net v3] vti: fix spd lookup: match plaintext pkt, not
 ipsec pkt

On Tue, Nov 19, 2013 at 05:16:34PM +0800, Fan Du wrote:
> 
> Or the VTI tunnel is the only tunnel with this specific source/destination address
> in the production deployment. Again the upper layer 4 will check the policy after
> all, that's the right place to do the policy checking.
> 
> So IMO, it's unnecessary to check policy for a net_device like VTI, actually I hold
> a patch of removing the VTI policy checking due to net-next closure for the moment.
> 

Please keep in mind that this will change the lookup from the
IPsec traffic to the plaintext traffic, like Christophe proposed
to do. This means that the transmit side has to be changed too.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ