On Wed, 2006-11-08 at 13:17 -0600, Venkat Yekkirala wrote: > > > > Not sure > > > > though when > > > > that would apply here, > > > > > > It could apply to xfrms if they happen to be using the context > > > represented by any of the initial SIDs. > > > > Which would happen when? > > If one were attempting to use a context pertaining to the unlabeled init > sid in the SPD and/or the SAD. But would I be correct in assuming that the > same sid (unlabeled init sid in all likelyhood) would end up being returned > when the context is turned into a sid, resulting in the SPD and the SAD > using > the same init sid, thus making a full-context compare unnecessary?
Yes. > > What's the harm from just using the SID comparison and > > allowing for the > > possibility that there might be a few duplicates in rare > > circumstances? > > Does it break any assumptions in the rest of the logic? > > The best I can think of is if the SA's sid doesn't match the > socket's SID, IKE would come into play, if it's configured. > > I also wanted to conversely ask what harm exists if we did > a full-context compare in the event the sids didn't match? > > Are we just trying to generally avoid extra code? More complexity and overhead for no real gain. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
