From owner-freebsd-hackers@FreeBSD.ORG Fri May 1 14:01:54 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EF8F10656D5 for ; Fri, 1 May 2009 14:01:54 +0000 (UTC) (envelope-from anchie@fer.hr) Received: from labs4.cc.fer.hr (labs4.cc.fer.hr [161.53.72.24]) by mx1.freebsd.org (Postfix) with ESMTP id E65D48FC1E for ; Fri, 1 May 2009 14:01:53 +0000 (UTC) (envelope-from anchie@fer.hr) Received: from sluga.fer.hr (sluga.cc.fer.hr [161.53.72.14]) by labs4.cc.fer.hr (8.14.2/8.14.2) with ESMTP id n41E29rp015268 for ; Fri, 1 May 2009 16:02:10 +0200 (CEST) Received: from ana-kukecs-macbook.local ([89.164.43.248]) by sluga.fer.hr with Microsoft SMTPSVC(6.0.3790.3959); Fri, 1 May 2009 16:01:48 +0200 Message-ID: <49FB00CB.5080402@fer.hr> Date: Fri, 01 May 2009 16:01:47 +0200 From: Ana Kukec User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Jan Melen References: <49F5B6F8.4040808@melen.org> In-Reply-To: <49F5B6F8.4040808@melen.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 May 2009 14:01:48.0756 (UTC) FILETIME=[5EC9C940:01C9CA65] X-Scanned-By: MIMEDefang 2.64 on 161.53.72.24 Cc: freebsd-hackers@freebsd.org Subject: Re: IPsec in GENERIC kernel config X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 14:01:54 -0000 Hi Jan, Jan Melen wrote: > Hi, > > Again when I compiled a custom kernel just to enable IPsec in the > FreeBSD kernel it came to my mind why is it so that the IPsec is not > enabled by default in the GENERIC kernel configuration file? At least > for me the GENERIC kernel configuration would do just fine if the > IPsec would be enabled in it by default. Now I have to build a custom > kernel just for IPsec btw IPsec is even mandatory for a host > supporting IPv6. > > IETF just says that IPsec support is mandatory in IPv6, but IPsec use is not. Most of current IPv6 implementations do not include IPsec, and there is nothing unusual with that. It is mainly about the performance, but there are also other issues, mainly security ones, e.g. it actually cannot defend against DoS attacks and cannot strictly eliminate spoofing, it is only a network-level security tool.. and there are still lots of incompatibility issues between different vendors' implementations of IPsec.. etc.. Ana