requirement012.tex

FREESWAN VPN源代码包

\subsection{012: /dev/ipsecNNN devices that could be chown(1)ed and chmod(1)ed.}

\subsubsection{012: Definition of requirement }

One of the grand ideas of Unix is the notion that ``everything is a file''.  

As a result, network devices don't show up in /dev/ in a useful way, and they
don't have file-modes and file-owners.  Instead you need to deal with them
using special commands like {\bf ifconfig}, and special system calls like
{\bf bind, setsockopt, ...}

As a result, it is clear how to establish an IPsec connection from host A to 
host B, but it is really not obvious how to establish an IPsec connection 
from user UX (process PX) to user UY (process PY).  

Could a user have his own ipsec.conf file?  
How would that file be related to the system's ipsec.conf file?

Even if the user doesn't have his own ipsec.conf file, how do we implement 
per-user or per-process tunnels?  I can imagine what the kernel code looks 
like to enforce the restrictions, but what does it look like to the user 
process?  Making it look like a named pipe with a file-owner and some 
file-permissions is one way... that makes it look more like good-old "core" 
unix but less like other networking stuff.  

\subsubsection{012: response}

Constructive proposals would be most welcome.

This feature is not committed to in any form at this time.