Sebastien Roy wrote:
> On Fri, 2006-10-06 at 05:48 -0700, Mike "Ford" Ditto wrote:
> > Right. Specifically, it has been the intention for milestone/network
> > to *depend on* IPsec (transport mode) policy and other network layer
> > security mechanisms being in place, so that the milestone represents
> > the earliest time that most network-listening services may safely
> > start ("safely" in the sense that they aren't exposed to attacks due
> > to the network layer policy not yet being enforced). IPsec tunnels,
> > however, do not need to (and perhaps shouldn't) be set up before
> > milestone/network.
>
> What would be the reasoning behind that latter statement?
I didn't mean that there is any harm in setting them up before
milestone/network, I just meant that there doesn't need to be a
dependency. I don't see any need for tunnels (IPsec or plain) to have
any dependency relationship (dependent or dependency) with
milestone/network. For that matter, other kinds of interfaces don't
need the dependency either. If a physical interface is taking a long
time to complete DHCP, or a tunnel can't be set up yet because its
"tsrc" isn't yet ifconfig'd (perhaps waiting for DHCP again), we don't
need to hold up services that are waiting for milestone/network. Those
services should be prepared for links and addresses to come and go over
time anyway.
So tunnel interfaces currently have to depend on other interfaces,
either individually or by subcategory (tunnel interfaces as a group
depending on non-tunnel interfaces as a group), but I think it would be
more robust to make them independent even of that requirement.
I agree with Jim that the dependency on the tsrc being ifconfig'd is not
useful and I understand that it arises due to bind semantics that are
sensible and well-established for ordinary networking applications.
Perhaps we should add a new privileged bind option that allows binding
to an address that the local stack doesn't yet know it is allowed to
use, with the understanding that no packets will be passed until the
address does get assigned, a state that can already be reached by taking
away an address while something is bound to it.
-=] Mike [=-
