Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Apr 2002 08:55:03 -0700 (MST)
From:      matthew weaver <matt@ice-nine.org>
To:        Sam Leffler <sam@errno.com>
Cc:        freebsd-net@FreeBSD.ORG
Subject:   Re: kame ipsec vs. openbsd ipsec
Message-ID:  <Pine.BSO.4.44.0204040846240.28381-100000@iorek.ice-nine.org>
In-Reply-To: <2c1d01c1db3b$460c7720$52557f42@errno.com>

next in thread | previous in thread | raw e-mail | index | archive | help
in Apr, Sam Leffler probably wrote :

|1. Has anyone else seriously looked at doing this?
|2. Has anyone compared the OpenBSD and KAME implementations and understand
|their relative strengths? (e.g. is there some reason to work with KAME other
|than it's already in the system)

  I realize you're most interested in a developer's perspective on this,
  and I'm not comfortable providing anything like that.

  On a side note, however, I'll mention some things from a
  administrative/user perspective.

  I like these features of the OpenBSD implementation, one of
  which was mentioned by Tariq Rashid <tariq@inty.net>:

  1. The enc interface. Makes it extremely simple to have packet
  filtering rules for IPSEC tunneled networks, and routing
  is easier to think about, imho.

  2. IPSEC flows appear in netstat -r output, very handy.

  3. kernfs has information about each SA, including statistics
  for them (bytes, packets, etc).

  I'm less familiar with the KAME implementation, so I'm unable to
  highlight its strengths compared to the OpenBSD code -- perhaps
  someone will jump in here and point them out for me.

  matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.44.0204040846240.28381-100000>