linux-ipsec: talking about SAs

A while back I happened to be thinking about some aspects of command-line and/or control-file syntax, and an idea hit me.

How does one refer to an SA? Well, an SA is identified by three things: a destination address, an SPI, and a flag that says "AH" or "ESP".

(Our current interfaces don't exhibit this clearly. Partly that's because they muddle together the SAs and the SPD, in the IPSEC equivalent of confusing addressing with routing: the SA is a label for an instance of a transform, while the SPD maps destinations/ports/protocols/etc to SAs. We currently don't clearly distinguish the two, but that will have to change sometime soon. And partly it's because we don't have separate SPI number spaces for AH and ESP, and consequently don't see that flag in some contexts where it would otherwise be needed. We're not actually required to have separate number spaces, but we have to respect the fact that other implementations might, so we'll sometimes need a way to talk about them.)

Currently, when we want to refer to an SA, we end up having to put several command-line arguments together, because we don't have a syntax that keeps them bundled together. This contributes to the "57 positional parameters" problem in some of the interfaces.

The idea was: if we want to refer to destination 1.2.3.4, SPI 357, AH, why not write it as "ah357@1.2.3.4"? I think the chances of confusion with mail addresses are minimal, and the notation is about as intuitive as they come.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)