tech-kern: Re: IPSEC in GENERIC

Subject: Re: IPSEC in GENERIC
To: Christos Zoulas <christos@zoulas.com>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 02/22/2006 17:45:51
On Wed, Feb 22, 2006 at 05:20:11PM -0500, Christos Zoulas wrote:
> On Feb 22, 12:22pm, jonathan@Pescadero.dsg.stanford.edu (Jonathan Stone) wrote:
> | 
> | Aside from NAT_T (mentioned above) and the well-known lack of IPv6 IPsec
> | support (due to absense of IPv6-fans willing to acutally do the work),
> | what's FAST_IPSEC missing?
> 
> IPSEC_ESP? I don't know.

Christos,

I think you seriously misunderstand the organization of the various
IPSEC_FOO options -- which are, really, in my opinion at least, the
fault of the authors/importers of the KAME code, not of the FAST_IPSEC
code.

Without exception, AFAICT, the IPSEC_FOO options all provide conditional
compilation of parts of the KAME code.  So if you don't define IPSEC_ESP,
the KAME code supports only AH: no encryption.  Even by the time at which
the code was imported into our tree, I don't think this was useful even
for political reasons; it's certainly not for technical ones.  I am also
highly skeptical that, without IPSEC_ESP defined, the KAME code even
works right.

The FAST_IPSEC code is much more sensible: you define the FAST_IPSEC
option and you get the whole thing, not bits and pieces.  That you
can't specify options FAST_IPSEC and then conditionally compile in
parts of the KAME code (without the rest of it!) should not be
surprising, any more than that you can't attach an sd to an atabus.

I find it really disappointing that new features continue to be
developed within NetBSD for the KAME stack, ignoring the FAST_IPSEC
stack entirely; it was my understanding when the FAST_IPSEC code was
imported that it was intended to replace the KAME stack, and, at the
very least, I think that core should be requiring that new features
that _we_ add to the KAME stack also be added to the FAST_IPSEC stack
before they are committed, to avoid serious integration pain later on.

-- 
  Thor Lancelot Simon	                                     tls@rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart