Subject: Re: IPSEC in GENERIC
To: None <jonathan@dsg.stanford.edu>
From: Christos Zoulas <christos@zoulas.com>
List: tech-kern
Date: 02/20/2006 23:38:01
On Feb 20,  8:14pm, jonathan@dsg.stanford.edu (jonathan@dsg.stanford.edu) wrote:
-- Subject: Re: IPSEC in GENERIC

| Someone else I think, since I have approximately zero in the old
| KAME IPsec code.  I can say that I beleive the approach I suggested is
| workable, for locally-terminated traffic. I don't recall making any
| measure of forwarding rates myself, which is the case Thor brought up.

I am almost done adding it. It seems pretty simple. I will post patches
once I have it all tested.

| As I tried to say earlier: right now I'm more interested in turning
| off IPv6 on the machines I have with GENERIC kernels, so that those
| machines don't automagically start using IPv6 for local-subnet
| communication behind my back.  That, I care about, whereas IPsec in
| GENERIC I don't much care for.

That is a good point; I would send-pr :-)

| In all honesty, in the local marketplace, I hear an awful lot of need
| for "Cisco VPNs", "SSL VPNs", pptp, and almost no demand for IPsec.
| The instructions I saw (Hubert's, I think, from Feb 2004?), for
| configuring "Cisco VPN"s access say that one must first disable IPSEC
| if it's configured, then add tun.  These days, tun is on in most 3.0
| GENERIC configs.
| 
| So, in all sincerity and thinking of just my local neck of the woods,
| and assuming Hubert's caveat about IPSEC is still accurate, I'd tend
| to think NetBSD might get more utility from excluding IPsec and
| keeping tun, than from adding IPsec.  Then again, maybe things are
| very different where you are, or where Michael is.
| 
| Worth considering both ways, though.

It all depends if you use IPSEC or not. If you use IPSEC, then you want
it in the default kernel, if you don't then you don't care about it.

christos