[Swan-dev] "route" vs "ondemand"
Paul Wouters
paul at nohats.ca
Thu Jul 4 13:42:32 UTC 2019
On Wed, 3 Jul 2019, D. Hugh Redelmeier wrote:
> | Are you mising up ipsec auto --route with auto=ondemand?
>
> I hypothesized that ipsec.conf: conn: auto=route/ondemand might be the
> same as --route/--ondemand I read the documentation and found that not to
> be the case. At least for ipsec auto, --ondemand means --up
> plus --route. So --route and --ondemand are different and possibly
> useful.
--up plus --route makes no sense to me? Since up is add + start?
> No, --route wasn't obsoleted. Nor is there an obvious reason to
> obsolete it.
In terms of internals, a route is really the ondemand feature.
Perhaps what we should do is change it so that we have
auto=start == ipsec auto --start is conn added, routed and initiated
auto=ondemand == ipsec auto --ondemand is conn added, routed and not initiated
auto=add == auto=add is conn added and not routed nor initiated.
auto=route is an alias for auto=ondemand
This would change the behaviour of ipsec auto --ondemand from "route" to
"add plus route".
Note all "add" operations are "replace" operations, that might do a down
plus delete operation.
> I'm a little hazy about shunts (and too lazy to look it up). I would
> think that auto=route and --route should install some shunt but
> auto=ondemand and --ondemand should install a TRAP shunt. That's a
> bit different. Documentation would perhaps set me straight, if I read it.
> The documentation I did read did not seem complete.
both install a SPD policy to get an ACQUIRE or punch a hole (or insert a drop)
> If the shunt installed by ondemand were "drop", that would make its
> name wrong: negotiation would not be initiated by a packet flow and
> hence this would not be "on demand". But the name "route" would be OK.
well, the name route would also be bad, there isn't even a route added
unless using KLIPS. A better term would be auto=install to install the
policy, whatever the policy does.
> This stuff is tricky. We should try to make sure our keywords are not misleading.
The real question is, does changing it now help or make it worse?
Paul
More information about the Swan-dev
mailing list