From owner-freebsd-net@FreeBSD.ORG Sat Apr 7 04:23:23 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 56B7E16A403 for ; Sat, 7 Apr 2007 04:23:23 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.freebsd.org (Postfix) with ESMTP id 44DB113C44B for ; Sat, 7 Apr 2007 04:23:23 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 5A23A1A3C1C; Fri, 6 Apr 2007 21:23:24 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 6DED751482; Sat, 7 Apr 2007 00:23:22 -0400 (EDT) Date: Sat, 7 Apr 2007 00:23:22 -0400 From: Kris Kennaway To: Ivan Voras Message-ID: <20070407042322.GA72639@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.2i Cc: freebsd-net@freebsd.org Subject: Re: A radical restructuring of IPsec... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Apr 2007 04:23:23 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 06, 2007 at 04:49:01PM +0200, Ivan Voras wrote: > gnn@freebsd.org wrote: >=20 > >The patch removes Kame derived IPsec from the tree, and adds v6 > >support to FAST_IPSEC. The IPSEC kernel option is removed, but the > >FAST_IPSEC option remains. This is a test patch and has a known > >problem with routing packets through a node. Nodes can operate in a > >host mode, that is they are the endpoint of a tunnel. >=20 > Just a quick question: Is the reason for this simplification,=20 > performance, cleanup (I see spl...() functions removed), or something els= e? KAME IPSEC is both giant-locked and lower performance than fast IPSEC (which also integrates with crypto hardware devices). The missing piece from the latter is what George has implemented, namely IPv6 support. Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGFxy5Wry0BWjoQKURAnySAKCn7H/2T7AOsuoVfhXegEbrHOKkVgCfQIK6 NBR4qmXXX3YINNs52GcR+uA= =QThW -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--