Subject: Re: Reminder that we are supporting two parallel IPsec
To:, Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Sam Leffler <>
List: tech-net
Date: 09/12/2003 08:41:01
>>>	i don't understand why sys/netipsec has to have another PF_KEY
>>>	implementation.  could you tell me why?
>> Sam Leffler's fast-ipsec is a rework in detail, to improve performance
>> The re-implemenetation of PF_KEY is part and parcel of that "rework in
>> detail".  I understand the rework is ongoing (that is, more performance
>> enhancments are planned), but you'd be better off asking Sam.
> 	i looked at the diff between netipsec/key* and netkey/key*.
> 	the changes are minimal.  i will remove the former and put #ifdef
> 	FAST_IPSEC into the former.

I'm not sure this is a good idea.  I intentionally duplicated all KAME code 
because I intended to change it significantly.  (I also wanted to insure 
neither code base affected the other.)

In this case I'm close to working on the PF_KEY implementation s.t. it will 
diverge from the KAME implementation.  If netbsd wants to track this work 
then doing the above will be wasted effort.