Had to pick at two tiny things... On Tue, May 13, 2008 at 10:10:10AM -0500, Nicolas Williams wrote: > - I assume that [it goes without saying that] IP_SEC_OPT requests that > conflict with whatever option is dictated by IKE/SPD config will > fail.
Right now, per-socket always overrides SPD unless the per-socket request is "always cleartext", in which case, you need privilege. If you're concerned that this current model will sabotage Labeled IPsec, please speak up. We may need to address this anyway, as a knob which disabled this behavior was yanked out sometime in S9 or S10 by accident. > - Certificate extensions for labeling are out of scope, yes? In the > future I'd imagine an ike.config directive like "wire-label > from-cert" would be the interface for configuring the use of a cert > extension for working out SA labeling. This is definitely a out-of-current-scope future work item. Dan
