From owner-freebsd-net@FreeBSD.ORG Wed Jan 21 09:48:27 2009 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50BB5106566B for ; Wed, 21 Jan 2009 09:48:27 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 1086B8FC19 for ; Wed, 21 Jan 2009 09:48:26 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id A2D352798B8 for ; Wed, 21 Jan 2009 10:48:25 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id 6AC1A17063; Wed, 21 Jan 2009 10:55:07 +0100 (CET) Date: Wed, 21 Jan 2009 10:55:07 +0100 From: VANHULLEBUS Yvan To: freebsd-net@FreeBSD.org Message-ID: <20090121095507.GB36716@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Cc: Subject: [Patch for review] Experimental NAT-T + PFKey cleanup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2009 09:48:27 -0000 [same mail sent both on ipsec-tools-devel and freebsd-net, please use respective MLs for potential issues on each side] Hi all. Here is a beta patch which cleans the way PFKey exchanges NAT-T ports between kernel and userland, available at: http://people.freebsd.org/~vanhu/NAT-T/experimental/ patch-FreeBSD-TRUNK-NATT-pfkey-clean-.diff is the whole FreeBSD NAT-T patchset (also available on perforce.freebsd.org for those who have access). patch-ipsec-tools-HEAD-NATT-pfkey-cleanup-.diff applies on ipsec-tools CVS HEAD. With those patches, NAT-T ports are now always sent via SADB_X_EXT_NAT_T_[S|D]PORT, and never as ports in SADB_EXT_ADDRESS_[SRC|DST] (which is not RFC2367 compliant) Both ways are more or less used actually. Basic tests with those patches works (a tunnel with NAT-T negociates and works), but please note those patches are in a directory called "experimental". At least, setkey hasn't be updated yet, and some cleanups will need to be done before commiting. Compatibility with existing IPsec+NAT-T stacks is also an issue (if you compile without NAT-T support, you'll have NO issue at all) : - racoon + patch won't work correctly on FreeBSD + old NAT-T patch (I'll generate at least an updated patch for FreeBSD 7.x). - racoon + patch won't work correctly on NetBSD + NAT-T enabled. - racoon + patch may work as good or even better on Linux... or not... - racoon without patch won't work correctly on FreeBSD + new NAT-T patch. - racoon without patch won't work correctly on updated NetBSD + NAT-T (no NetBSD patch yet). Ipsec-tools team has still not decided how such compatibility issues will be handled (or not...), any (good) idea is welcome ! Please send feedbacks/bug reports/patches/anything else directly on ipsec-tools-devel or freebsd-net MLs (for respective patches), so everyone interested will have the info. Yvan.