Subject: Heads-up, status update on FAST_IPSEC
To: None <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: current-users
Date: 08/04/2003 13:03:24

I have a NetBSD port of Sam Leffler's FAST_IPSEC which works well
enough to start some work on integration -- enough that other
developers/users can start testing, if they wish.  The current version
is IPv4-only. The source code can co-exist with KAME IPsec, but only
one or the other can be configured into a kernel at one time.

I propose to commit some minor changes (reserving packet-tag names in
sys/mbuf.h, initialization hooks, usw) over the next day or so.

I also have a set of patches to sys/netinet, which hook into the
FreeBSD-derived sys/netipsec code. I will make those available for
review (or perhaps even just commit those changes, as almost all of
them change "#ifdef IPSEC" to "#if defined(IPSEC) || defined(FAST_IPSEC)".

I also propose one additional change: to pass one additional argument
on all calls ip_output(). The new argument is either the address of
the inpcb associated with the outbound packet (if available); or NULL
otherwise. This will simpilfy the caching of IPsec connection-info in
pcbs. Its also an enabler for other, non-IPsec changes (e.g.,
implementing an SO_BINDTODEV-like feature).

This seemed a more elegant and efficient approach than the alternative
of passing a struct socket * by squirreling it away in a packet-tag.

Comments on all the above welcomed; though please to cc: me for
quickest response.