[Swan-dev] "route" vs "ondemand"

[D. Hugh Redelmeier]

| From: Paul Wouters <paul at nohats.ca>

| On Tue, 2 Jul 2019, D. Hugh Redelmeier wrote:
| 
| > So it sounds as if auto=route is obsolete.
| 
| Yes.
| 
| > But uses are scattered through
| > our tree.  I assume that they should be updated.  Any objection?

Shall I fix this?  (Maybe not: see below.)

| > In the case of ipsec_auto(8), --ondemand is the same as --add then
| > --route.  So there is a distinction there.
| 
| Are you mising up ipsec auto --route with auto=ondemand?

I hypothesized that ipsec.conf: conn: auto=route/ondemand might be the 
same as --route/--ondemand I read the documentation and found that not to 
be the case.  At least for ipsec auto, --ondemand means --up 
plus --route.  So --route and --ondemand are different and possibly 
useful.

| I wasn't aware
| we obsoleted it there too.

No, --route wasn't obsoleted.  Nor is there an obvious reason to
obsolete it.

| But I see we support ipsec auto --ondemand,
| so I guess we did. So in that case I guess we can update it all to use
| --ondemand in documentation and examples.

It might be that we could change the current meanings and obsolete
--route.  We'd have to make sure that --ondemand doesn't object if the
conn has already been --added (I don't know if it does or not).

I'm a little hazy about shunts (and too lazy to look it up).  I would
think that auto=route and --route should install some shunt but
auto=ondemand and --ondemand should install a TRAP shunt.  That's a
bit different.  Documentation would perhaps set me straight, if I read it.  
The documentation I did read did not seem complete.

If the shunt installed by ondemand were "drop", that would make its
name wrong: negotiation would not be initiated by a packet flow and
hence this would not be "on demand".  But the name "route" would be OK.

This stuff is tricky.  We should try to make sure our keywords are not misleading.