From owner-freebsd-net@FreeBSD.ORG Wed Jan 21 10:15:08 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A6BC1065680; Wed, 21 Jan 2009 10:15:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 0ECD88FC22; Wed, 21 Jan 2009 10:15:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 14C2F41C705; Wed, 21 Jan 2009 11:15:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id t3rPvTsLB6-j; Wed, 21 Jan 2009 11:15:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 92B2841C6DB; Wed, 21 Jan 2009 11:15:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id AE5324448D5; Wed, 21 Jan 2009 10:12:32 +0000 (UTC) Date: Wed, 21 Jan 2009 10:12:32 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: VANHULLEBUS Yvan In-Reply-To: <20090121095507.GB36716@zeninc.net> Message-ID: <20090121100244.M45399@maildrop.int.zabbadoz.net> References: <20090121095507.GB36716@zeninc.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@FreeBSD.org Subject: Re: [Patch for review] Experimental NAT-T + PFKey cleanup X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jan 2009 10:15:09 -0000 On Wed, 21 Jan 2009, VANHULLEBUS Yvan wrote: Hi, > [same mail sent both on ipsec-tools-devel and freebsd-net, please use > respective MLs for potential issues on each side] > > Hi all. > > Here is a beta patch which cleans the way PFKey exchanges NAT-T ports > between kernel and userland, available at: > http://people.freebsd.org/~vanhu/NAT-T/experimental/ ... > > With those patches, NAT-T ports are now always sent via > SADB_X_EXT_NAT_T_[S|D]PORT, and never as ports in > SADB_EXT_ADDRESS_[SRC|DST] (which is not RFC2367 compliant) > Both ways are more or less used actually. ... > > Ipsec-tools team has still not decided how such compatibility issues > will be handled (or not...), any (good) idea is welcome ! While this seems to be a big concern and there is compat breakage with this patchset already, could we just finish the thing and also add the second OA to not have to go through another round of breakage at a later time? I checked the patch and I still can only see one NAT_T_OA which does not work in the double NAT scenario as I have stated multiple times in the past. See RFC3947, 5.2., Example 2. As said before I am currently caring less that the functionality behind this is implemented but want to make sure we do not need to break APIs again at a later time to add this and thus giving us way more pain then. /bz -- Bjoern A. Zeeb The greatest risk is not taking one.