Date: Wed, 21 Jan 2009 10:55:07 +0100 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@FreeBSD.org Subject: [Patch for review] Experimental NAT-T + PFKey cleanup Message-ID: <20090121095507.GB36716@zeninc.net>
next in thread | raw e-mail | index | archive | help
[same mail sent both on ipsec-tools-devel and freebsd-net, please use respective MLs for potential issues on each side] Hi all. Here is a beta patch which cleans the way PFKey exchanges NAT-T ports between kernel and userland, available at: http://people.freebsd.org/~vanhu/NAT-T/experimental/ patch-FreeBSD-TRUNK-NATT-pfkey-clean-<date>.diff is the whole FreeBSD NAT-T patchset (also available on perforce.freebsd.org for those who have access). patch-ipsec-tools-HEAD-NATT-pfkey-cleanup-<date>.diff applies on ipsec-tools CVS HEAD. With those patches, NAT-T ports are now always sent via SADB_X_EXT_NAT_T_[S|D]PORT, and never as ports in SADB_EXT_ADDRESS_[SRC|DST] (which is not RFC2367 compliant) Both ways are more or less used actually. Basic tests with those patches works (a tunnel with NAT-T negociates and works), but please note those patches are in a directory called "experimental". At least, setkey hasn't be updated yet, and some cleanups will need to be done before commiting. Compatibility with existing IPsec+NAT-T stacks is also an issue (if you compile without NAT-T support, you'll have NO issue at all) : - racoon + patch won't work correctly on FreeBSD + old NAT-T patch (I'll generate at least an updated patch for FreeBSD 7.x). - racoon + patch won't work correctly on NetBSD + NAT-T enabled. - racoon + patch may work as good or even better on Linux... or not... - racoon without patch won't work correctly on FreeBSD + new NAT-T patch. - racoon without patch won't work correctly on updated NetBSD + NAT-T (no NetBSD patch yet). Ipsec-tools team has still not decided how such compatibility issues will be handled (or not...), any (good) idea is welcome ! Please send feedbacks/bug reports/patches/anything else directly on ipsec-tools-devel or freebsd-net MLs (for respective patches), so everyone interested will have the info. Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090121095507.GB36716>