Re: Questions about PF_KEY interface

On Mon, 25 Jun 2007, blue wrote:

I have read the manual page for fast_ipsec and ipsec. However, the man page for fast_ipsec on FreeBSD-6.1Release said currently fast_ipsec does not support IPv6. However, I thought it could properly deal with IPv6 packets after tracing code. Could fast_ipsec support IPv6? Another problem is: if the

yes, after you apply the patches that were posted the last weeks on
this list and will be committed to HEAD shortly.


only difference between fast_ipsec and ipsec is about crypto acceleration, why fast_ipsec needs to modify a bunch of files (including ip6_input, ip6_output, ip6_forward, ..., etc.), not only the encap/decap part?

If an ipv6 packet arrives that uses IPSec transport or tunnel mode,
how should it be dispatched to ipsec processing if there were no
hooks?

Quite a bit of the code is there make it possible to interchange the
ipsec implementations.
Parts of that will go away too.


The function, key_output(), which is defined in netkey\keysock.c, does not lock Giant before key_parse(). According to the comments (see below), maybe

Ignore it. It's almost dead code. Apart from that quite a bit of the
network stack runs with GIANT compat shims still.


Do you mean FAST_IPSEC feature will be embedded in FreeBSD-7.0 or later version instead of IPSEC?

As IPSEC. Kame IPSEC will go away. Read the archives of this list;-)


--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Software is harder than hardware so better get it right the first time.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"