From owner-freebsd-net@FreeBSD.ORG  Sat Apr  7 04:23:23 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 56B7E16A403
	for <freebsd-net@freebsd.org>; Sat,  7 Apr 2007 04:23:23 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by mx1.freebsd.org (Postfix) with ESMTP id 44DB113C44B
	for <freebsd-net@freebsd.org>; Sat,  7 Apr 2007 04:23:23 +0000 (UTC)
	(envelope-from kris@obsecurity.org)
Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196])
	by elvis.mu.org (Postfix) with ESMTP id 5A23A1A3C1C;
	Fri,  6 Apr 2007 21:23:24 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 6DED751482; Sat,  7 Apr 2007 00:23:22 -0400 (EDT)
Date: Sat, 7 Apr 2007 00:23:22 -0400
From: Kris Kennaway <kris@obsecurity.org>
To: Ivan Voras <ivoras@fer.hr>
Message-ID: <20070407042322.GA72639@xor.obsecurity.org>
References: <m21wix61iy.wl%gnn@neville-neil.com> <ev5mku$3tq$1@sea.gmane.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo"
Content-Disposition: inline
In-Reply-To: <ev5mku$3tq$1@sea.gmane.org>
User-Agent: Mutt/1.4.2.2i
Cc: freebsd-net@freebsd.org
Subject: Re: A radical restructuring of IPsec...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Apr 2007 04:23:23 -0000


--envbJBWh7q8WU6mo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Apr 06, 2007 at 04:49:01PM +0200, Ivan Voras wrote:
> gnn@freebsd.org wrote:
>=20
> >The patch removes Kame derived IPsec from the tree, and adds v6
> >support to FAST_IPSEC.  The IPSEC kernel option is removed, but the
> >FAST_IPSEC option remains. This is a test patch and has a known
> >problem with routing packets through a node.  Nodes can operate in a
> >host mode, that is they are the endpoint of a tunnel.
>=20
> Just a quick question: Is the reason for this simplification,=20
> performance, cleanup (I see spl...() functions removed), or something els=
e?

KAME IPSEC is both giant-locked and lower performance than fast IPSEC
(which also integrates with crypto hardware devices).  The missing
piece from the latter is what George has implemented, namely IPv6
support.

Kris




--envbJBWh7q8WU6mo
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGFxy5Wry0BWjoQKURAnySAKCn7H/2T7AOsuoVfhXegEbrHOKkVgCfQIK6
NBR4qmXXX3YINNs52GcR+uA=
=QThW
-----END PGP SIGNATURE-----

--envbJBWh7q8WU6mo--