I don't know how long we've had bidirectional dependencies between
ip and ipsecah, but to my way of thinking, that we do screams out loud
that the architecture between these components is somewhat lacking.
I'll admit that my knowledge of the requirements between the two isn't
complete, so I may be being naive here...
But isn't there a better way here?
Why does IP need to call anything directly inside of IPsec?
Or maybe a better position to take is one of these two:
1) IPSec should be a part of the IP kernel module or
2) we need a better set of interfaces/architecture such
that IP doesn't need to make calls into IPSec via functions
like sadb_buf_pkt.
Thoughts?
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
