From owner-freebsd-net  Fri Apr  5  0:44:55 2002
Delivered-To: freebsd-net@freebsd.org
Received: from starfruit.itojun.org (dhcp108.iijlab.net [202.232.15.108])
	by hub.freebsd.org (Postfix) with ESMTP id EE42037B404
	for <freebsd-net@FreeBSD.ORG>; Fri,  5 Apr 2002 00:44:50 -0800 (PST)
Received: from itojun.org (localhost [127.0.0.1])
	by starfruit.itojun.org (Postfix) with ESMTP
	id E731A7B9; Fri,  5 Apr 2002 17:44:36 +0900 (JST)
To: freebsd-net@FreeBSD.ORG
Subject: Re: kame ipsec vs. openbsd ipsec
References: <20020405172620N.sakane@kame.net>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Fri, 05 Apr 2002 17:44:36 +0900
Message-Id: <20020405084437.E731A7B9@starfruit.itojun.org>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

>> 1. Has anyone else seriously looked at doing this?
>> 2. Has anyone compared the OpenBSD and KAME implementations and understand
>> their relative strengths? (e.g. is there some reason to work with KAME other
>> than it's already in the system)
>
>i have summarized what some people argued to merge OpenBSD IPsec
>implementation into FreeBSD.
>
>some people say that OpenBSD has advantage because:
>        1. it supports the crypto hardware acceleration.
>        2. because SA is shown as a pseudo interface,
>          2-a. we can see how packets are flowed through the interface
>               by netstat(8).
>          2-b. it can configure packet rules easily.
>          2-c. routing information can be flowed into the interface.
>        3. we can see parameters and the statistics of the SA.
>        4. SPD is implemented into the routing table.

	observation 2-[abc] are incorrect.  openbsd uses enc0 interface which
	enables people to run tcpdump against packets after ESP decapsulation
	(or before encapsulation).  the interface is a pseudo interface, 
	and you cannot run routing protocol over it.  enc0 interface won't be
	instantiated per-SA (one interface is shared for all SAs).

	KAME does not have enc0 interface or alike as doing so breaks IPv6
	scoping architecture (in short, you can never play with
	m->m_pkthdr.rcvif, as addresses must be evaluated under certain
	interface's context).

	4 is also incorrect.  SPD is implemented as a radix tree, separate
	from IPv4 (or IPv6) routing table.  therefore, it has nothing
	to do with normal routing table.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message