Gunther Schadow wrote:
> Lars, what was your rationale for inventing the ip-tun package?
We wrote it a few years back for FreeBSD-3.X, to support X-Bone when no
KAME was installed (3.X did not have KAME code merged yet.) I hear there
are issues with it under 4.X due to a changed device model, but I think
we'll have a student port it over the summer. Then again, nos-tun(8)
supports IP-in-IP now, so maybe ip-tun is obsolete.
> Did you have good or bad experience with any of those alternatives?
Vtun uses UDP encapsulation, which means it's an application level thing
(like ssh tunnels). One of the major design objectives of X-Bone was to
use off-the-shelf, standardized OS mechanisms, so it didn't qualify.
We're trying to provide a pure IP overlay - ideally, you shouldn't be
able to tell an overlay network from a real network (e.g. ping,
traceroute, DNS, RIP, etc. all "just works"). Application-level tunnels
(and layer-2 tunnels) can't support this. (I also personnally don't
think UDP encapsulation has any purpose other than tunneling through
NATs, which are a bad hack and should die.)
GRE encapsulation has functionality not needed for our purposes and adds
an extra header, so we decided against it.
I have no experience with pipsecd.
Lars
--
Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute
http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature
