On Tue, Apr 07, 2009 at 02:43:35PM -0400, Girish Moodalbail wrote:
> Thanks Dan, for your comments.
Again, pardon my latency.
>> - Where does this fit in with the Clearview IP Tunneling work?
>
> We will be able to create IP interfaces on the IP tunnel links created
> via "Clearview IP Tunneling work"
Good.
> Great. The plan is to get few consumers start using the library
> libipadm.so.1 (as identified in the design doc). Once we have sufficient
> features (in subsequent phases of ipadm) we will have more consumers
> using this library.
We can talk offline about a Brussels-happy punchind.
>> - I see that there is absolutely no *_algs support ala. ifconfig(1M).
>> I do not mind EOL-ing these, but I do need to see an agenda for
>> how. This may be more dladm-level than ipadm, but it is something
>> we need to take into account.
>
> The eventual goal is to achieve the new mantra => 'ipadm' will be the
> new 'ifconfig'.
Got it.
> For now (first phase) 'ifconfig' will not be made obsolete. The *_alg
> support will be present in ifconfig(1M) as it is today. We will not carry
> forward the *_algs support in 'ipadm' as 'ipsecconf' is the right place
> for people to configure it.
Okay, so *_algs goes away no later than when ifconfig(1M) does. Good.
BTW, for folks in the audience with existing *_algs ifconfig deployments. If
you have:
ifconfig ip.tun0 ..... encr_algs <foo> encr_auth_algs <bar> ....
You merely need to make that an entry in /etc/inet/ipsecinit.conf
(i.e. ipsecconf(1M) input):
# Use IP-in-IP with transport-mode IKE negotiation
{ tunnel ip.tun0 negotiate transport } ipsec \
{ encr_algs <foo> encr_auth_algs <bar> }
You can always see that style on any tunnel today with:
ipsecconf -ln -i <tunnel-name>
>> - I assume the "-t" equivalent will be in the library as well, right?
>
> Yes
Cool.
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
