> What's the deal wiht IPSEC? The protoocol is called IPsec (and often miscapitalized), and our kernel option is IPSEC.
> I've never used it, but I was under the impression it gives encryption > for free for things that otherwise don't have it. It provides confidentiality and data origin authentication at the IP level, via a per-packet protocol called Encapsulating Security Protocol. In this respect it is sort of like TLS, but operating at the IP layer rather than the TCP layer. However, implementations of it are OS services, rather than code in user space. (But the key management is in user space.) > Do all the programs need to have ipsec-specific goo to use it? telnet > does, as well as having its own encryption code. No. One configures the use of IPsec via Security Policy Database entries, which in NetBSD are managed via setkey(8). The encryption is telnet is I believe Kerberos. Kerberos predates IPsec by a lot, and is based on symmetric cryptography only (which is all that was feasible in the early 80s). As far as I know, Kerberos processing is always done within the application program rather than being a kernel service.
