Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

heads-up: IPSEC is now FAST_IPSEC

I've just made FAST_IPSEC the default implementation which gets
used if the IPSEC kernel option is present.
In common setups, it should work at least as good as the old
(KAME) implementation. The new code has the potential to make
use of crypto acceleration hardware, and to use multiple
CPU cores. It also has some crypto algorithms updated, so
it might solve interoperability problems (eg. if using
AH with SHA2, or Camellia).
There are still some open problems, in particular if PMTU
discovery is used through a tunnel, or with IPv6 extension

The old KAME implementation is still available through
the KAME_IPSEC kernel option. The old IPSEC_ESP option
is meaningless with (FAST_)IPSEC (ESP is always enabled)
but still in effect with KAME_IPSEC.

I'd very much appreciate reports (positive or negative)
about interoperability with non-NetBSD systems.

best regards

(*)There is a patch (by Arnaud Degroote) which adds proper
extension header handling for IPv6. I have it ready for
commit, I just don't know a good way to test it. If
you can help, please speak up.

Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt

Kennen Sie schon unsere app?

Home | Main Index | Thread Index | Old Index