On Tue, Mar 11, 2008 at 06:51:11PM -0400, [EMAIL PROTECTED] wrote: > Moreover, as we discussed in various hallway conversations, > it's a little odd to configure ipsec policy in one way (using > ipsecconf) and to configure md5 in another (via on/off switches).
Except that a *lot* of IPsec configuration should be specifiable through IP_SEC_OPT-like interfaces. (Not necessarily things like, oh, say, trust anchors.) > > > Are we talking of providing a socket option to push the > > > password/keys to > > > be used for computing MD5 digest? > > > > Yes, I think that's what they're asking for, but that gets the client > > into the tricky business of handling sensitive key material (including > > all the configuration file problems this causes), and doesn't seem to > > be necessary. > > Besides which, if the client really wants to get into > the tricky business of handle the key itself, it can use > PF_KEY sockets to add the key. No, not PF_KEY. If you want sanitized ways to deal with keys then use tokens (including soft tokens). PF_KEY is not an API that we can expect simple apps to use. _______________________________________________ networking-discuss mailing list [email protected]
