[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)

To: Kjell Wooding <kwooding@codetalker.com>
Subject: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Tue, 09 Mar 1999 16:01:37 -0500
Cc: Niels Provos <provos@citi.umich.edu>,Markus Friedl <markus.friedl@informatik.uni-erlangen.de>,tech@openbsd.org


In message <4.1.19990309134423.03dab830@mail.codetalker.com>, Kjell Wooding wri
tes:
>>You forgot to specify the IV for the transforms. PF_ENCAP was
>>able to do IV-less mode by deriving an IV from the packet headers.
>>We dont do that any more with PFKEYv2.
>>So just modify your scripts to include a -iv line:
>
>hm? Doesn't specifying an -iv option now give you a "option is depreciated" wa
>rning? Your comment seems to indicate the opposite.

In the PFKEY machine, the -iv option would be ignored because the kernel
does the right thing by default. In the PFENCAP machine, the -iv option
would cause the kernel to do the right thing. The value in the -iv option
is immaterial really.
-Angelos

References:
- Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
  - From: Kjell Wooding <kwooding@codetalker.com>

Prev by Date: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Next by Date: Re: Basic Network Card Question
Prev by thread: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Next by thread: Re: ipsec questions/bugs/fixes (PF_KEY/PF_ENCAP)
Index(es):
- Date
- Thread