Subject: Re: IPSEC in GENERIC
To: None <jonathan@dsg.stanford.edu>
From: Garrett D'Amore <garrett_damore@tadpole.com>
List: tech-kern
Date: 02/20/2006 20:34:35
jonathan@dsg.stanford.edu wrote:
> In message <20060221034924.5214F56534@rebar.astron.com>,
> Christos Zoulas writes:
>
>   
>> On Feb 20,  7:35pm, jonathan@Pescadero.dsg.stanford.edu (Jonathan Stone) wrote
>> :
>> -- Subject: Re: IPSEC in GENERIC
>>     
>
> [...]
>
>   
>> I see the summary of this thread as:
>>
>> 1. The reason we don't turn IPSEC on by default is performance.
>> 2. There is FAST_IPSEC but it does not do IPV6.
>> 3. The KAME code is too complicated/messy and hard to separate.
>> 4. In order to do have the best of both worlds is to compile IPSEC
>>   in and determine if we need to take the IPSEC complex path only
>>   if the number of SPD's > 0 (which was proposed by you this round).
>>
>> Now can you (or someone else) step up and see if doing (4) is feasible?
>>     
>
> Someone else I think, since I have approximately zero in the old
> KAME IPsec code.  I can say that I beleive the approach I suggested is
> workable, for locally-terminated traffic. I don't recall making any
> measure of forwarding rates myself, which is the case Thor brought up.
>
> As I tried to say earlier: right now I'm more interested in turning
> off IPv6 on the machines I have with GENERIC kernels, so that those
> machines don't automagically start using IPv6 for local-subnet
> communication behind my back.  That, I care about, whereas IPsec in
> GENERIC I don't much care for.
>   
I'm confused, is there some reason that just unconfiguring the interface
with ifconfig won't do this?

This doesn't sound anything like IPsec -- it sounds like you want a way
to force IPv4 at run-time.  I think it should be possible to do that
regardless of whether or not IPv6 is *compiled* into the kernel.
>
> In all honesty, in the local marketplace, I hear an awful lot of need
> for "Cisco VPNs", "SSL VPNs", pptp, and almost no demand for IPsec.
> The instructions I saw (Hubert's, I think, from Feb 2004?), for
> configuring "Cisco VPN"s access say that one must first disable IPSEC
> if it's configured, then add tun.  These days, tun is on in most 3.0
> GENERIC configs.
>   
Cisco VPN *is* IPsec, right?   At least their "modern" VPN stuff is
pretty much just IPsec + IKE, as I understand it.

IPsec is critical for a lot of our deployments.  We see demand for IPsec
increasing rapidly with some of our biggest customers.

-- 
Garrett D'Amore, Principal Software Engineer
Tadpole Computer / Computing Technologies Division,
General Dynamics C4 Systems
http://www.tadpolecomputer.com/
Phone: 951 325-2134  Fax: 951 325-2191