Date: Thu, 11 Mar 1999 19:51:30 -0500 From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu> To: "Marco Molteni" <molter@tin.it> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IKE daemons (was: Re: disapointing security architecture) Message-ID: <199903120051.TAA30722@adk.gr> In-Reply-To: Your message of "Fri, 12 Mar 1999 01:32:04 %2B0100." <Pine.BSF.3.96.990312012243.407B-100000@nympha>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.96.990312012243.407B-100000@nympha>, "Marco Molteni" wri tes: > >Angelos, maybe I wasn't clear. What I meant was simply that PF_KEY isn't >IPsec (it's just an API), not that, since OpenBSD has PF_KEY, it hasn't >IPsec. I know OpenBSD has the NRL code. Actually, OpenBSD has the NRL IPv6, and a mutation of the PFKEY code. The IPsec code is our own (its lineage can be traced back to 1995). >What is isakmpd ? Is it an IKE daemon? I saw in the NRL IPsec web pages >that they have two IKE/ISAKMP daemons, one from Cisco, but both aren't >available outside the USA. > >Basically I'm looking for some sample code using PF_KEY to do key >exchanges. Yes, isakmpd is an IKE implementation; as far as I know, it's the best free implementation available outside the US (better than most implementations, free or otherwise, domestic and not). You can get it off the OpenBSD tree (BSD license). The Cisco IKE is just horrible; the other one on the NRL page is most likely the one from the NIST IPsec Reference Implementation (can't seem to locate the URL for that right now). That one uses an updated Pluto (an old IKE implementation I wrote back in '97, also used by the linux-ipsec FreeSWAN project). Since I'm the author of that code, I think my advice is very authoritative: steer clear of it; the core Pluto (about 10K lines) was written in about 3 weeks time, as a proof of concept. For PFKEY code, you can take a look at the OpenBSD ipsecadm(8) source; it's the manual-key command. Or you can talk to Niklas Halqvist and/or Niels Provos (niklas@openbsd, provos@openbsd) who are currently updating isakmpd and photurisd to use PFKEY. Enough rambling, -Angelos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903120051.TAA30722>