linux-ipsec: uses of SA specifiers

Some musings, inspired by private correspondence, on how the new SA-specifier syntax might be used...

Where one currently says:

	ipsec eroute --add --edst 10.0.0.2 --spi 200 --src 10.0.2.0/24 \
	--dst 10.0.1.0/24

that could become (with the --add option changed to take a value, the SA; this sort of simplification is the real payoff of having it all in one package):

        ipsec eroute --add esp200@10.0.0.2 --src 10.0.2.0/24 --dst 10.0.1.0/24

Deleting an SA becomes syntactically almost trivial:

        ipsec spi --del esp200@10.0.0.2

Spigrp's syntax also gets simpler, one argument per SA:

	ipsec spigrp 10.0.0.2 0x1000 10.0.0.2 0x1002       # old
	ipsec spigrp esp0x1000@10.0.0.2 ah0x1002@10.0.0.2  # new
	ipsec spigrp esp4096@10.0.0.2 ah4098@10.0.0.2      # new decimal

Things in /proc should change accordingly, e.g. /proc/net/ipsec_spigrp becomes something like:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

SPIGRP:
(esp203@10.0.0.1, 3DES-MD5-96 Encryption)

(tun200@10.0.0.2, IPv4 Simple Encapsulation)
(esp202@10.0.0.2, 3DES-MD5-96 Encryption)

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)