From owner-freebsd-security Thu May 28 16:14:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20369 for freebsd-security-outgoing; Thu, 28 May 1998 16:14:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from church.cse.ogi.edu (root@cse.ogi.edu [129.95.20.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20328 for ; Thu, 28 May 1998 16:13:54 -0700 (PDT) (envelope-from jrb@cse.ogi.edu) Received: from cse.ogi.edu (jrb@church.cse.ogi.edu [129.95.42.2]) by church.cse.ogi.edu (8.8.6/8.8.6) with ESMTP id QAA10504; Thu, 28 May 1998 16:13:30 -0700 (PDT) Message-Id: <199805282313.QAA10504@church.cse.ogi.edu> To: "Thomas D. Simes" cc: freebsd-security@FreeBSD.ORG Subject: Re: SKIP problems In-Reply-To: Your message of "Thu, 28 May 1998 13:28:33 -0800." Date: Thu, 28 May 1998 16:13:29 -0700 From: Jim Binkley Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk It's a good point Tom and it could stand MUCH clarification. (the how is IPSEC question, not the SKIP part. SKIP is not an IETF standard and was rejected by the IPSEC wg several years ago (along with photuris))... > >At the risk of asking an obvious question - how is IPsec currently >implemented in FreeBSD? SKIP is something that can be used now - it may >not be the best solution, but it is something that can be implemented >today. > >Tom I can think of at MANY different IPSEC implementations that could stand to learn from each other (I suspect). We have 1. freebsd/NRL/psu/me as found at http://www.cs.pdx.edu/research/SMN in case you have been asleep... VPNs via route(8), route(4), and keyadmin(1). I could try to briefly clarify on-line if there was interest. I suspect there are at least two or more IPSEC implementor (camps) that read this list. Maybe we could all do that (or I could just go on vacation). 1.1 the netbsd/NRL implementations 2. the openBSD used to be netBSD implementation. 3. the WIDE implementation 4. the NIST/linux implementation 5. and the soon to be unleashed Cisco IOS implementation :-> 6. bump in the stack implementations How they work and exactly what they do and do not do is not clear. IPSEC has specified packet formats, not app/kernel or user apis. The latter are important and different. There are many important questions; e.g., what about ISAKMP? what are the kernel interfaces? how do the kernel parts work? how do you add a new security transform? how tested is the code? (how buggy?) is the code well written? what is the user (or sysadmin) api? how does key management work? is ASN involved :-> does it support user-level or only network level? policy for packets in/out in the o.s.; i.e., when to IPSEC and when not? tunnel security attributes? could joe average routing daemon use it? multicast semantics? how many tons of docs, if any? you claim "interoperation", exactly what did that mean? end to end apps end to router tunnel AH with transform Y which AH acc. to which RFC/draft etc., etc., ... several things I haven't thought of to throw in the laundry list ... and of course, our favorite, export control aspects. Forgive me for this minor explosion. kind regards, Jim Binkley jrb@cse.ogi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message