Subject: Re: IPSEC anyone?
To: Erik E. Fair <fair@clock.org>
From: Matt Thomas <matt@3am-software.com>
List: tech-kern
Date: 03/16/1998 10:01:43
At 10:32 PM 3/14/98 , Erik E. Fair wrote:
>Which key management scheme is that code using? Photouris, SKIP, or
>ISAKMP/Oakley?

ISAKMP/Oakley definitely.  Note that the currently example
isakmp daemons are pre-shared secrets only.

I've begun adding support for IPsec to my netinet sources.
I'm using "options IPSEC" for my changes.  

[The following should go tech-kern or tech-net ...]

For IPsec I need to add few things to the session structure (to
maintain one's default identity) and the proc structure (for
policy).  For the latter, I'd like a generic list to the proc
structure which would be 

  struct proc_extension {
    LIST_ENTRY(proc_extension) pext_qentry;
    int (*pext_handler)(struct proc *p, int why, 
                        struct proc_extension *pext);
  }
#define PEXT_FORK	1
#define PEXT_VFORK	2
#define PEXT_EXIT	3
#define PEXT_EXEC	4

handler is called on fork, vfork, exit, or exec with current/new 
proc and the pext of the current/old process.  On fork/vfork it
is up to the handler to link/create/whatever the pext to the new
process if the inheritance is desired.  If the routine returns
a non-zero (only allowed for fork/vfork), the fork is aborted
(the handler would be called before the address space is cloned
to reduce overhead in this case).

It would be nice to have a few extra syscalls (but one can get
around that with a psuedo device, a sysctl hack, or new address
family).

Note that many of the changes needed for IPsec are also needed
for IPv6.

-- 
Matt Thomas               Internet:   matt@3am-software.com
3am Software Foundry      WWW URL:    http://www.3am-software.com/bio/matt/
Nashua, NH                Disclaimer: I disavow all knowledge of this message