Discussion:
IPsec: duplicate sysctls
(too old to reply)
Maxime Villard
2018-03-05 07:44:32 UTC
Permalink
As Ryota Ozaki noted a week ago, there are several duplicate sysctls

net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
net.inet.esp.net_deflev = net.inet.ipsec.esp_net_deflev
net.inet.ah.cleartos = net.inet.ipsec.ah_cleartos
net.inet.ah.offsetmask = net.inet.ipsec.ah_offsetmask
net.inet.ah.trans_deflev = net.inet.ipsec.ah_trans_deflev
net.inet.ah.net_deflev = net.inet.ipsec.ah_net_deflev

Under net.inet6 there are no duplicates, we use the convention on the
right here.

But I believe the one on the left is the best one. I guess it is fine to
switch everything to the left one and remove the duplicates?

Maxime

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2018-03-05 21:06:20 UTC
Permalink
Post by Maxime Villard
As Ryota Ozaki noted a week ago, there are several duplicate sysctls
net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
net.inet.esp.net_deflev = net.inet.ipsec.esp_net_deflev
net.inet.ah.cleartos = net.inet.ipsec.ah_cleartos
net.inet.ah.offsetmask = net.inet.ipsec.ah_offsetmask
net.inet.ah.trans_deflev = net.inet.ipsec.ah_trans_deflev
net.inet.ah.net_deflev = net.inet.ipsec.ah_net_deflev
Under net.inet6 there are no duplicates, we use the convention on the
right here.
But I believe the one on the left is the best one. I guess it is fine to
switch everything to the left one and remove the duplicates?
I do prefer the convention on the right, "esp" or "ah" by itself is not
necessary a direct assocation with IPsec.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2018-03-06 20:16:26 UTC
Permalink
Post by Joerg Sonnenberger
Post by Maxime Villard
As Ryota Ozaki noted a week ago, there are several duplicate sysctls
net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
net.inet.esp.net_deflev = net.inet.ipsec.esp_net_deflev
net.inet.ah.cleartos = net.inet.ipsec.ah_cleartos
net.inet.ah.offsetmask = net.inet.ipsec.ah_offsetmask
net.inet.ah.trans_deflev = net.inet.ipsec.ah_trans_deflev
net.inet.ah.net_deflev = net.inet.ipsec.ah_net_deflev
Under net.inet6 there are no duplicates, we use the convention on the
right here.
But I believe the one on the left is the best one. I guess it is fine to
switch everything to the left one and remove the duplicates?
I do prefer the convention on the right, "esp" or "ah" by itself is not
necessary a direct assocation with IPsec.
These sysctls are to be used when IPsec is enabled; so if someone is using
IPsec but has no idea what "ah" or "esp" means, this someone has a problem
in the first place.
They exist on any system with IPsec support in the kernel. Someone
looking at "sysctl -a" has a right to have an idea what this is about as
well. The chance that someone has heard about IPsec is much higher than
having heard about AH or ESP.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Maxime Villard
2018-03-06 19:40:47 UTC
Permalink
Post by Joerg Sonnenberger
Post by Maxime Villard
As Ryota Ozaki noted a week ago, there are several duplicate sysctls
net.inet.esp.trans_deflev = net.inet.ipsec.esp_trans_deflev
net.inet.esp.net_deflev = net.inet.ipsec.esp_net_deflev
net.inet.ah.cleartos = net.inet.ipsec.ah_cleartos
net.inet.ah.offsetmask = net.inet.ipsec.ah_offsetmask
net.inet.ah.trans_deflev = net.inet.ipsec.ah_trans_deflev
net.inet.ah.net_deflev = net.inet.ipsec.ah_net_deflev
Under net.inet6 there are no duplicates, we use the convention on the
right here.
But I believe the one on the left is the best one. I guess it is fine to
switch everything to the left one and remove the duplicates?
I do prefer the convention on the right, "esp" or "ah" by itself is not
necessary a direct assocation with IPsec.
These sysctls are to be used when IPsec is enabled; so if someone is using
IPsec but has no idea what "ah" or "esp" means, this someone has a problem
in the first place.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...