Sam Leffler wrote:
Larry Baird wrote:
And how do I know that it works ?
Well, when it doesn't work, I do know it, quite quickly most of the
time !
I have to chime in here. I did most of the initial porting of the
NAT-T patches from Kame IPSec to FAST_IPSEC. I did look at every
line of code during this process. I found no security problems during
the port. Like Yvan, my company uses the NAT-T patches commercially.
Like he says, if it had problems, we would hear about it. If the
patches
don't get commited, I highly suspect Yvan or myself would try to keep
the
patches up todate. So far I have done FAST_IPSEC pacthes for FreeBSD
4,5,6. Yvan did 7 and 8 by himself. Keeping up gets to be a pain
after a while. I do plan to look at the FreeBSD 7 patches soon, but
it sure would be nice
to see it commited.
Please test/review the following patch against HEAD:
http://people.freebsd.org/~sam/nat_t-20080616.patch
This adds only the kernel portion of the NAT-T support; you must provide
the user-level code from another place.
The main difference from the patches floating around are in the
ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP
frames. Assuming folks are ok w/ these changes I'll commit to HEAD.
Once this stuff goes in we can look at getting the user-mode mods into
the tree.
Sam
PS. Thanks especially to Matthew Grooms who tested an earlier version
and fixed a bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
