Date: Wed, 16 Jul 2008 21:10:18 -0700 From: Sam Leffler <sam@freebsd.org> To: freebsd-net@freebsd.org Cc: vanhu_bsd@zeninc.net, Larry Baird <lab@gta.com> Subject: Re: FreeBSD NAT-T patch integration [CFR/CFT] Message-ID: <487EC62A.3070301@freebsd.org> In-Reply-To: <486A45AB.2080609@freebsd.org> References: <20080630040103.94730.qmail@mailgate.gta.com> <486A45AB.2080609@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sam Leffler wrote: > Larry Baird wrote: >>> And how do I know that it works ? >>> Well, when it doesn't work, I do know it, quite quickly most of the >>> time ! >>> >> I have to chime in here. I did most of the initial porting of the >> NAT-T patches from Kame IPSec to FAST_IPSEC. I did look at every >> line of code during this process. I found no security problems during >> the port. Like Yvan, my company uses the NAT-T patches commercially. >> Like he says, if it had problems, we would hear about it. If the >> patches >> don't get commited, I highly suspect Yvan or myself would try to keep >> the >> patches up todate. So far I have done FAST_IPSEC pacthes for FreeBSD >> 4,5,6. Yvan did 7 and 8 by himself. Keeping up gets to be a pain >> after a while. I do plan to look at the FreeBSD 7 patches soon, but >> it sure would be nice >> to see it commited. >> Please test/review the following patch against HEAD: http://people.freebsd.org/~sam/nat_t-20080616.patch This adds only the kernel portion of the NAT-T support; you must provide the user-level code from another place. The main difference from the patches floating around are in the ctloutput path (adding proper locking for HEAD) and decap of ESP-in-UDP frames. Assuming folks are ok w/ these changes I'll commit to HEAD. Once this stuff goes in we can look at getting the user-mode mods into the tree. Sam PS. Thanks especially to Matthew Grooms who tested an earlier version and fixed a bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487EC62A.3070301>