Stephen J. Bevan wrote:
H. Peter Anvin writes:
> Fair enough. However, that does beg a question: is there any sane way
> to create the pseudo-device model on top of the current model, as a
> convenience layer? That way you could get the best of both.
I assume you were using tunnel-mode IPsec and depending on exactly
what you want to do you may be able to replace it with transport mode
IPsec (or stay with tunnel if the extra 20 bytes of IP is not a
problem) to handle host<->host IPsec and use gre or ipip for overlay
network. That way you get a virtual device (gre or ipip) you can
route to, run OSPF on, ... etc.
<sarcasm>
What I great idea. Now I just have to get every host I want to
interoperate with to support a nonstandard configuration. The scary
part is that if I motivate it with "Linux is too stupid to handle
standard tunnel-mode IPsec" I might actually get away with it.
</sarcasm>
Really... if saying our configuration is so screwed up that we have to
run a different over-wire protocol isn't an admission of failure I don't
know what is. I suspect this contributes to the growth in OpenVPN as well.
-hpa
--
VGER BF report: U 0.500003
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
