From owner-freebsd-net Thu Apr 4 7:55:22 2002 Delivered-To: freebsd-net@freebsd.org Received: from ice-nine.org (iorek.ice-nine.org [206.168.0.33]) by hub.freebsd.org (Postfix) with ESMTP id 3C18F37B41F for ; Thu, 4 Apr 2002 07:55:13 -0800 (PST) Received: from matt (helo=localhost) by ice-nine.org with local-esmtp (Exim 3.33 #1) id 16t9Zn-0001xO-00; Thu, 04 Apr 2002 08:55:03 -0700 Date: Thu, 4 Apr 2002 08:55:03 -0700 (MST) From: matthew weaver To: Sam Leffler Cc: freebsd-net@FreeBSD.ORG Subject: Re: kame ipsec vs. openbsd ipsec In-Reply-To: <2c1d01c1db3b$460c7720$52557f42@errno.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org in Apr, Sam Leffler probably wrote : |1. Has anyone else seriously looked at doing this? |2. Has anyone compared the OpenBSD and KAME implementations and understand |their relative strengths? (e.g. is there some reason to work with KAME other |than it's already in the system) I realize you're most interested in a developer's perspective on this, and I'm not comfortable providing anything like that. On a side note, however, I'll mention some things from a administrative/user perspective. I like these features of the OpenBSD implementation, one of which was mentioned by Tariq Rashid : 1. The enc interface. Makes it extremely simple to have packet filtering rules for IPSEC tunneled networks, and routing is easier to think about, imho. 2. IPSEC flows appear in netstat -r output, very handy. 3. kernfs has information about each SA, including statistics for them (bytes, packets, etc). I'm less familiar with the KAME implementation, so I'm unable to highlight its strengths compared to the OpenBSD code -- perhaps someone will jump in here and point them out for me. matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message