On Mar 14, 2011, at 12:54 PM, Ben Pfaff wrote: > On Mon, Mar 14, 2011 at 12:50:59PM -0700, Jesse Gross wrote: >> On Sun, Mar 13, 2011 at 4:51 PM, Justin Pettit <[email protected]> wrote: >>> On Mar 13, 2011, at 11:13 AM, Jesse Gross wrote: >>> >>> Ben had offhandedly suggested (in face-to-face discussions) that users >>> could have configured IPsec without using our daemon (either because it's >>> not Debian or even not Linux). ?Clearly, for GRE this doesn't matter, >>> because we don't behave differently depending on whether the traffic is >>> encrypted or not. ?However, one could imagine a tunnel that behaves >>> differently based on whether or not encryption is handled (e.g., a capwap >>> tunnel could be configured to use a different source port for security >>> policy matching purposes). ?It's trivial to block the creation, so if you'd >>> prefer that we do it that way (and a strong case can be made for that on >>> security grounds), I'd be happy to make the change. >> >> I'm not sure that the other use cases are too interesting (an >> equivalent script could always be written for other distributions) and >> it's easy to miss log messages if everything appears to be working so >> it seems much safer to just not create the tunnel port at all. > > My example is pretty hypothetical so I'm happy to go with Jesse's > preference too.
I think we're all on the same page. I'll prepare a patch shortly. --Justin _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
