From owner-freebsd-net@FreeBSD.ORG Thu Jul 17 04:10:20 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED9CB1065670 for ; Thu, 17 Jul 2008 04:10:20 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id BBD3A8FC22 for ; Thu, 17 Jul 2008 04:10:20 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from trouble.errno.com (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id m6H4AI9F087923 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Jul 2008 21:10:18 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <487EC62A.3070301@freebsd.org> Date: Wed, 16 Jul 2008 21:10:18 -0700 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20071125) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org> In-Reply-To: <486A45AB.2080609@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC--Metrics: ebb.errno.com; whitelist Cc: vanhu_bsd@zeninc.net, Larry Baird Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 04:10:21 -0000 Sam Leffler wrote: > Larry Baird wrote: >>> And how do I know that it works ? >>> Well, when it doesn't work, I do know it, quite quickly most of the >>> time ! >>> >> I have to chime in here. I did most of the initial porting of the >> NAT-T patches from Kame IPSec to FAST_IPSEC. I did look at every >> line of code during this process. I found no security problems during >> the port. Like Yvan, my company uses the NAT-T patches commercially. >> Like he says, if it had problems, we would hear about it. If the >> patches >> don't get commited, I highly suspect Yvan or myself would try to keep >> the >> patches up todate. So far I have done FAST_IPSEC pacthes for FreeBSD >> 4,5,6. Yvan did 7 and 8 by himself. Keeping up gets to be a pain >> after a while. I do plan to look at the FreeBSD 7 patches soon, but >> it sure would be nice >> to see it commited. >> Please test/review the following patch against HEAD: http://people.freebsd.org/~sam/nat_t-20080616.patch This adds only the kernel portion of the NAT-T support; you must provide the user-level code from another place. The main difference from the patches floating around are in the ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP frames. Assuming folks are ok w/ these changes I'll commit to HEAD. Once this stuff goes in we can look at getting the user-mode mods into the tree. Sam PS. Thanks especially to Matthew Grooms who tested an earlier version and fixed a bug.