From owner-freebsd-net@FreeBSD.ORG  Thu Jul 26 03:13:53 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9BEBE16A418
	for <freebsd-net@freebsd.org>; Thu, 26 Jul 2007 03:13:53 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66])
	by mx1.freebsd.org (Postfix) with ESMTP id 47F2C13C480
	for <freebsd-net@freebsd.org>; Thu, 26 Jul 2007 03:13:52 +0000 (UTC)
	(envelope-from Susan.Lan@zyxel.com.tw)
Received: from zytwbe01.zyxel.com ([172.23.5.10]) by zyfb01-66.zyxel.com.tw
	with Microsoft SMTPSVC(6.0.3790.1830); 
	Thu, 26 Jul 2007 11:13:51 +0800
Received: from zytwfe01.ZyXEL.com ([172.23.5.5]) by zytwbe01.zyxel.com with
	Microsoft SMTPSVC(6.0.3790.1830); Thu, 26 Jul 2007 11:13:52 +0800
Received: from [172.23.17.155] ([172.23.17.155]) by zytwfe01.ZyXEL.com with
	Microsoft SMTPSVC(6.0.3790.1830); Thu, 26 Jul 2007 11:13:51 +0800
Message-ID: <46A81171.1040107@zyxel.com.tw>
Date: Thu, 26 Jul 2007 11:13:53 +0800
From: blue <susan.lan@zyxel.com.tw>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 26 Jul 2007 03:13:51.0340 (UTC)
	FILETIME=[FD9A22C0:01C7CF32]
Subject: SADB_X_SPDFLUSH message handling for latest version of IPsec
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2007 03:13:53 -0000

Hi, all:

Recently I found the behavior for the command "setkey -FP" is quite 
different for the latest version IPsec (known as FAST_IPSEC before). 
Before the command would erase all the existed SP entries; currently the 
command would not. After digging the codes, I found the state of the SP 
entries will be set as IPSEC_SPSTATE_DEAD, but the entries will not be 
unlink from the SPD. Why needs to keep the entry in SPD? Is there any 
special purpose? Without the removal, it's hard to tell whether the SP 
entry still takes effect since "setkey -PD" will not show its status. On 
the other hand, SA is like usual, once the "setkey -F" is typed in, the 
SA entries will be erased right away.

Thanks.

BR,

blue