>> 1. Has anyone else seriously looked at doing this?
>> 2. Has anyone compared the OpenBSD and KAME implementations and understand
>> their relative strengths? (e.g. is there some reason to work with KAME other
>> than it's already in the system)
>
>i have summarized what some people argued to merge OpenBSD IPsec
>implementation into FreeBSD.
>
>some people say that OpenBSD has advantage because:
> 1. it supports the crypto hardware acceleration.
> 2. because SA is shown as a pseudo interface,
> 2-a. we can see how packets are flowed through the interface
> by netstat(8).
> 2-b. it can configure packet rules easily.
> 2-c. routing information can be flowed into the interface.
> 3. we can see parameters and the statistics of the SA.
> 4. SPD is implemented into the routing table.
observation 2-[abc] are incorrect. openbsd uses enc0 interface which
enables people to run tcpdump against packets after ESP decapsulation
(or before encapsulation). the interface is a pseudo interface,
and you cannot run routing protocol over it. enc0 interface won't be
instantiated per-SA (one interface is shared for all SAs).
KAME does not have enc0 interface or alike as doing so breaks IPv6
scoping architecture (in short, you can never play with
m->m_pkthdr.rcvif, as addresses must be evaluated under certain
interface's context).
4 is also incorrect. SPD is implemented as a radix tree, separate
from IPv4 (or IPv6) routing table. therefore, it has nothing
to do with normal routing table.
itojun
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
