From owner-freebsd-security  Wed Apr 22 03:12:49 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA09620
          for freebsd-security-outgoing; Wed, 22 Apr 1998 03:12:49 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from citadel.cdsec.com (citadel.cdsec.com [192.96.22.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA09605
          for <freebsd-security@FreeBSD.ORG>; Wed, 22 Apr 1998 10:12:42 GMT
          (envelope-from ian@cdsec.com)
Received: (from nobody@localhost) by citadel.cdsec.com (8.8.5/8.6.9) id MAA08242 for <freebsd-security@FreeBSD.ORG>; Wed, 22 Apr 1998 12:19:45 +0200 (SAT)
Received: by citadel via recvmail id 8204; Wed Apr 22 12:18:46 1998
From: Ian Cooper <ian@cdsec.com>
Message-Id: <199804221009.MAA22173@cdsec.com>
Subject: Re: IPv6 + IPSec
To: freebsd-security@FreeBSD.ORG
Date: Wed, 22 Apr 1998 12:09:51 +0200 (SAT)
In-Reply-To: <Pine.SUN.3.96.980422005442.9694C-100000@cdsec.com> from "Janos Mohacsi" at Apr 22, 98 00:57:53 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk


My personal experience for what it is worth...

> 
> Compiling the WIDE implementation is quite hard because of misnamed
> structure fields, etc. And the kernels dumps core sometimes...  The most
> important argument against the WIDE IPv6 (for me) that the applications
> are not so tightly integrated to the system as in the INRIA.

Pluses

1. The diffs apply perfectly to a stock kernel
2. The code compiles without even a warning
3. The kernel is rock solid stable

Minuses

1. IPSEC tunneling is not implemented
2. No provision is made for rfc1853 as a result of this, although the
   code to implement deencapsulation is pretty simple and short to 
   implement

Otherwise, I think it is pretty cleanly written. Should there be any
volunteers to work on it, we'd be interested in the ISAKMP/Oakley 
stuff, and would be keen to work on an implementation in conjunction with
others. The WIDE code would need tunnelling support in order to make it
truly useful.

> 
> The solutions would be the import INRIA IPv6 code and integrate WIDE or
> ticl IPSec (with addition photurisd from OpenBSD and ISA KMP/Oakley).
> 
> Sincerely,
> 		Janos Mohacsi
> 
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 


-- 
Ian Cooper (ian@cdsec.com)                             Tel: +27 21 23-6065
Citadel Data Security                                  Fax: +27 21 24-3656
Citadel Firewall, Citadel VPN Router                   Unit 3, 46 Orange Street
http://www.cdsec.com                                   Cape Town, South Africa

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message