Date: Thu, 4 Apr 2002 08:55:03 -0700 (MST) From: matthew weaver <matt@ice-nine.org> To: Sam Leffler <sam@errno.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: kame ipsec vs. openbsd ipsec Message-ID: <Pine.BSO.4.44.0204040846240.28381-100000@iorek.ice-nine.org> In-Reply-To: <2c1d01c1db3b$460c7720$52557f42@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
in Apr, Sam Leffler probably wrote : |1. Has anyone else seriously looked at doing this? |2. Has anyone compared the OpenBSD and KAME implementations and understand |their relative strengths? (e.g. is there some reason to work with KAME other |than it's already in the system) I realize you're most interested in a developer's perspective on this, and I'm not comfortable providing anything like that. On a side note, however, I'll mention some things from a administrative/user perspective. I like these features of the OpenBSD implementation, one of which was mentioned by Tariq Rashid <tariq@inty.net>: 1. The enc interface. Makes it extremely simple to have packet filtering rules for IPSEC tunneled networks, and routing is easier to think about, imho. 2. IPSEC flows appear in netstat -r output, very handy. 3. kernfs has information about each SA, including statistics for them (bytes, packets, etc). I'm less familiar with the KAME implementation, so I'm unable to highlight its strengths compared to the OpenBSD code -- perhaps someone will jump in here and point them out for me. matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.44.0204040846240.28381-100000>