Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 05 Apr 2002 17:44:36 +0900
From:      Jun-ichiro itojun Hagino <itojun@iijlab.net>
To:        freebsd-net@FreeBSD.ORG
Subject:   Re: kame ipsec vs. openbsd ipsec
Message-ID:  <20020405084437.E731A7B9@starfruit.itojun.org>
References:  <20020405172620N.sakane@kame.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
>> 1. Has anyone else seriously looked at doing this?
>> 2. Has anyone compared the OpenBSD and KAME implementations and understand
>> their relative strengths? (e.g. is there some reason to work with KAME other
>> than it's already in the system)
>
>i have summarized what some people argued to merge OpenBSD IPsec
>implementation into FreeBSD.
>
>some people say that OpenBSD has advantage because:
>        1. it supports the crypto hardware acceleration.
>        2. because SA is shown as a pseudo interface,
>          2-a. we can see how packets are flowed through the interface
>               by netstat(8).
>          2-b. it can configure packet rules easily.
>          2-c. routing information can be flowed into the interface.
>        3. we can see parameters and the statistics of the SA.
>        4. SPD is implemented into the routing table.

	observation 2-[abc] are incorrect.  openbsd uses enc0 interface which
	enables people to run tcpdump against packets after ESP decapsulation
	(or before encapsulation).  the interface is a pseudo interface, 
	and you cannot run routing protocol over it.  enc0 interface won't be
	instantiated per-SA (one interface is shared for all SAs).

	KAME does not have enc0 interface or alike as doing so breaks IPv6
	scoping architecture (in short, you can never play with
	m->m_pkthdr.rcvif, as addresses must be evaluated under certain
	interface's context).

	4 is also incorrect.  SPD is implemented as a radix tree, separate
	from IPv4 (or IPv6) routing table.  therefore, it has nothing
	to do with normal routing table.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020405084437.E731A7B9>