From owner-freebsd-current@FreeBSD.ORG Thu Oct 28 04:14:03 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10B2716A4CE for ; Thu, 28 Oct 2004 04:14:03 +0000 (GMT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77DC243D2D for ; Thu, 28 Oct 2004 04:14:02 +0000 (GMT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 7B240652EC; Thu, 28 Oct 2004 05:14:00 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 83641-01-2; Thu, 28 Oct 2004 05:14:00 +0100 (BST) Received: from empiric.dek.spc.org (dhcp120.icir.org [192.150.187.120]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 68C88652FE; Thu, 28 Oct 2004 05:13:54 +0100 (BST) Received: by empiric.dek.spc.org (Postfix, from userid 1001) id 76AC36247; Wed, 27 Oct 2004 21:13:45 -0700 (PDT) Date: Wed, 27 Oct 2004 21:13:45 -0700 From: Bruce M Simpson To: David Gilbert Message-ID: <20041028041345.GC772@empiric.icir.org> Mail-Followup-To: David Gilbert , "George V. Neville-Neil" , freebsd-current@freebsd.org, Mike Tancsa References: <16767.52282.937187.190919@canoe.dclg.ca> <6.1.2.0.0.20041027124606.09c40768@64.7.153.2> <16767.53956.366966.737912@canoe.dclg.ca> <6.1.2.0.0.20041027131824.10140c90@64.7.153.2> <16768.22876.926445.412412@canoe.dclg.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16768.22876.926445.412412@canoe.dclg.ca> cc: "George V. Neville-Neil" cc: freebsd-current@freebsd.org cc: Mike Tancsa Subject: Re: IPSec on current. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 04:14:03 -0000 On Wed, Oct 27, 2004 at 10:28:44PM -0400, David Gilbert wrote: > George> Just for the record, yes, FAST_IPSEC does not support INET6. > > Not supporting IPv6 is less of a showstopper than not supporting > FAST_IPSEC as the later is required (for isntance) BGP. I have a whole load of changes to bring in itojun's stuff from NetBSD which makes TCP_SIGNATURE work with KAME IPSEC, and also performs input verification. Unfortunately, due to the way this works, this is all or nothing and needs some rethinking to have the correct granularity. But it's definitely a step in the right direction. In future it'll probably require that applications using TCP_SIGNATURE be able to speak PF_KEY. This stuff is still quite a bit far off from being committed to -CURRENT, though, and I probably won't have a chance to finish it for some time. FAST_IPSEC not jibing with INET6 is a separate issue, but from what I understand, it's quite possible, again, lack of committer time/resource. Regards, BMS