[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes

[Venkat Yekkirala]

>      GW: from what I can gather policy is a bit more 
> flexible. There is an
> 	interesting property of linux ipsec that came up when 
> Ted and Joe were
> 	visiting; apparently when you have negotiated 
> connection, the first
> 	packet gets dropped. most people don't care, but I was 
> just hopping
> 	everyone is aware of this. since we are negotiating 
> lots of connections,
> 	customers might see this as non desirable especially 
> BSD ipsec doesn't
> 	do this
>      SG: is it tcp or udp packet?
>      JL: does this regardless of packet type
>      KW: what happens it returns "temporarily unavailable". 
> it is better if it
> 	drops the packet rather than returning error
>      SG: I think you are saying you do want to fix this
>      GW: yes, I think it will be desirable to fix it.
>      SG: we need a bugzilla
>      GW: I asked joy to open one but wanted to get your read on it
>      SG: I don't think it is desirable to return an error. so 
> maybe it is a flag
> 	that can be set to not let it do that. Either way, 
> first step is to open
> 	a bugzilla so that people can evaluate it. also a test 
> case on how to
> 	setup and maybe strace output if needed.
>      GW: can you provide that joy
>      JL: yes
>      SG: if you can do it simply that would be better that 
> the lspp setup we
> 	currently have
>      GW: thanks steve. I wasn't even aware of this property. 
> it will affect
> 	customers in this environment.

I think this problem was discussed at netconf 2006 by James Morris:
http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf