On Fri, 2007-11-30 at 09:51 -0500, Paul Moore wrote:

On Thursday 29 November 2007 8:45:46 am Paul Moore wrote:

quoted

On Thursday 29 November 2007 5:34:59 am Herbert Xu wrote:

quoted

On Mon, Nov 26, 2007 at 07:55:12PM +0000, Paul Moore wrote:

quoted

Currently the netmask/prefix-length of an IPsec SPD entry is not
included in any of the SPD related audit messages.  This can cause a
problem when the audit log is examined as the netmask/prefix-length is
vital in determining what network traffic is affected by a particular
SPD entry. This patch fixes this problem by adding two additional
fields, "src_prefixlen" and "dst_prefixlen", to the SPD audit messages
to indicate the source and destination netmasks.  These new fields are
only included in the audit message when the netmask/prefix-length is
less than the address length, i.e. the SPD entry applies to a network
address and not a host address.

Any reason why we don't just always include them?

The audit folks seem to be very sensitive to the size/length of the audit
messages, they prefer they be as small as possible.  I thought that one way
to save space would be to only print the prefix length information when the
address referred to a network and not a single host.

Would you prefer it if the prefix length information was always included in
the audit message?  Joy?  Audit folks?

Steve and/or Joy, could we get a verdict on this issue?  The lack of a netmask 
in the SPD audit messages is pretty serious so I'd like to see this fixed as 
soon as possible.

I think Steve may be able to answer this much better than I can in 
regards to audit. In my opinion having the netmask is good.

regards,
Joy