[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes
Venkat Yekkirala
vyekkirala at trustedcs.com
Tue Jan 16 20:55:46 UTC 2007
> GW: from what I can gather policy is a bit more
> flexible. There is an
> interesting property of linux ipsec that came up when
> Ted and Joe were
> visiting; apparently when you have negotiated
> connection, the first
> packet gets dropped. most people don't care, but I was
> just hopping
> everyone is aware of this. since we are negotiating
> lots of connections,
> customers might see this as non desirable especially
> BSD ipsec doesn't
> do this
> SG: is it tcp or udp packet?
> JL: does this regardless of packet type
> KW: what happens it returns "temporarily unavailable".
> it is better if it
> drops the packet rather than returning error
> SG: I think you are saying you do want to fix this
> GW: yes, I think it will be desirable to fix it.
> SG: we need a bugzilla
> GW: I asked joy to open one but wanted to get your read on it
> SG: I don't think it is desirable to return an error. so
> maybe it is a flag
> that can be set to not let it do that. Either way,
> first step is to open
> a bugzilla so that people can evaluate it. also a test
> case on how to
> setup and maybe strace output if needed.
> GW: can you provide that joy
> JL: yes
> SG: if you can do it simply that would be better that
> the lspp setup we
> currently have
> GW: thanks steve. I wasn't even aware of this property.
> it will affect
> customers in this environment.
I think this problem was discussed at netconf 2006 by James Morris:
http://vger.kernel.org/jmorris_ipsec_sa_resolution_netconf2006.pdf
More information about the redhat-lspp
mailing list