On Fri, Feb 18, 2011 at 09:40:13AM +0000, VANHULLEBUS Yvan wrote: > Author: vanhu > Date: Fri Feb 18 09:40:13 2011 > New Revision: 218794 > URL: http://svn.freebsd.org/changeset/base/218794 > > Log: > Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant. > This will break interoperability with all older versions of > FreeBSD for those algorithms. > > Reviewed by: bz, gnn > Obtained from: NETASQ > MFC after: 1w
First of all, I can't see such a change being merged to stable, where going from 8.2 to 8.3 will break IPsec tunnels. Second of all I really think that an UPDATING entry is not enough. We should at least provide sysctl to change it back and if we can detect this based on packet size, it would be best to log a warning that the other side is using old implementation and it (the other side) should be either upgraded or this sysctl should be changed locally to enable old behaviour. I'm happy to remove such sysctl after one full major release, so we won't support tunnels between FreeBSD 8 and FreeBSD 10, but we should IMHO definitely support tunnels between both 8-9 and 9-10. -- Pawel Jakub Dawidek http://www.wheelsystems.com p...@freebsd.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am!
pgppBc8pBCWP5.pgp
Description: PGP signature
