From owner-freebsd-net Sun Jul 16 16: 0:40 2000 Delivered-To: freebsd-net@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id F391637C002; Sun, 16 Jul 2000 16:00:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA91769; Sun, 16 Jul 2000 16:00:16 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 16 Jul 2000 16:00:16 -0700 (PDT) From: Kris Kennaway To: stable@freebsd.org, net@freebsd.org Subject: HEADS UP! Please test new KAME Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I meant to send this out yesterday, but forgot. I have merged the KAME code from -current, which brings 4.1 up to the most recent sources from the KAME project (http://www.kame.net). What does this give us? I'm glad you asked :-) * Signficantly improved IPSEC functionality. In particular, IPSEC security associations must no longer be manually keyed: the new code supports racoon, the KAME IKE daemon, which is located in /usr/ports/security/racoon. Racoon has been shown to interoperate well with other vendor IKE systems, meaning that FreeBSD 4.1 can be used in a heterogeneous IPSEC environment. However, racoon *is* still a work in progress, meaning that there may still be bugs, configuration syntax changes, etc. * About 9 months of fixes and improvements to the IPv6 code relative to what was previously in 4.0. * FreeBSD 4.1 can now be installed on an IPv6-only network - this will be the first release of FreeBSD that never needs to operate using IPv4 at all! ftp7.jp.freebsd.org (Japan #7) is an IPv6-reachable mirror site for installation and package-fetching. * Several additional system utilities (whois, fetch, and possibly others) have gained the ability to operate over IPv6. * FreeBSD 4.1 will ship with numerous IPv6-ready packages including web servers and browsers, all manner of network clients (FTP, IRC, SSH, ...) and network tools. See http://www.freebsd.org/ports/ipv6.html for a list of IPv6-capable ports. * One useful feature of KAME which has not yet been merged across is the ALTQ traffic-shaping system - I hope to get this in time for 4.2. The more experimental KAME code has also not been merged. If you need those features, I suggest you make use of the KAME snapshots from www.kame.net which will become available after 4.1-RELEASE. * I am sure I have forgotten some of the features of the new code :-) The merged changes have been tested in -current for several weeks without incident. The only known problem is that NFS mounts over IPSEC do not seem to work reliably (in my testing environment, at least) - I have seen eventual hangs with IPSEC/ESP mounts and possible data corruption with IPSEC/AH. However, there's of course no way for me to have tested everything, so there may still be bugs which affect operation. There are still 9 days until the scheduled release of 4.1-RELEASE in which to find and correct problems, so I respectfully ask all of you who can test the new code to please do as much as you can *now*, while there's still time, and not after the release has been rolled when it's too late. Thanks! On behalf of the FreeBSD community, I would like to thank the KAME developer team for their tireless work and dedication to the BSD community, and in particular the efforts of Hagino-san, Umemoto-san and Sumikawa-san (I hope I'm not forgetting anyone) for bringing the latest code into FreeBSD. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message