From owner-freebsd-net@FreeBSD.ORG Fri Jun 27 21:41:50 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9ABDB1065678 for ; Fri, 27 Jun 2008 21:41:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outQ.internet-mail-service.net (outq.internet-mail-service.net [216.240.47.240]) by mx1.freebsd.org (Postfix) with ESMTP id 93DAF8FC19 for ; Fri, 27 Jun 2008 21:41:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 5F22124C6; Fri, 27 Jun 2008 14:41:50 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id D09E02D6014; Fri, 27 Jun 2008 14:41:49 -0700 (PDT) Message-ID: <48655EAD.6040905@elischer.org> Date: Fri, 27 Jun 2008 14:42:05 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421) MIME-Version: 1.0 To: "George V. Neville-Neil" References: <48ca67dd60c19f94b4f21bbe88854da7@localhost> <86c7b60b19e63e9188701611ac0f6f17@localhost> <4863F479.8010206@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, mgrooms@shrew.net, brooks@freebsd.org Subject: Re: FreeBSD NAT-T patch integration X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2008 21:41:50 -0000 George V. Neville-Neil wrote: > At Thu, 26 Jun 2008 12:56:41 -0700, > julian wrote: >> I'm planning on committing it unless someone can provide a reason not >> to, as I've seen it working, needed it, and have not seen any bad >> byproducts. >> > > I'd be interested to know how you tested it. NAT-T and IPsec are > non-trivial protocols/subsystems that can have far reaching impacts on > the network stack. Also, are you planning to maintain it after > committing it? The biggest problem with NAT-T hasn't been the code, > it's been that the author, who is doing a great job on the code, has > been too busy to maintain it anywhere but at work. That is not a slam > on the person or the code, I have the highest respect for both, but it > reflects and important reality of the situation. Unless you're > stepping up to maintain it as well as commit it I think it should not > be committed. I know the Bjoern has been working hard to pick up the > IPsec stuff in his free time, and I value his input on this subject > quite a bit. > > Best, > George NAT-T is needed for ipsec to work correctly with a bunch of vpn servers such as the cisco VPN server. It's been seen by dozens of people to do exactly that. It's added to every single pfsense and m0n0wall router out there. Code inspection also shows that it shouldn't compromise non-NAT_T sessions. so, It allows one to do things that many people need. It doesn't screw up existing applications (that I've ever heard of). The author is responsive and shows dedication.