Subject: Re: openbgpd 3.7
To: None <>
From: Thomas E. Spanjaard <>
List: tech-net
Date: 01/22/2006 19:02:19
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Thor Lancelot Simon wrote:
> On Sun, Jan 22, 2006 at 01:59:49PM +0000, Thomas E. Spanjaard wrote:
>>Note that IPsec ESP/AH authentication isn't operational yet, 
>>as someone(*cough* riz *cough* ;)) needs to upgrade our IPsec/SA stuff 
>>to what OpenBSD has.
> What exactly is involved in this "upgrade"?  The interface in question
> is standard across the KAME stack and the "fast IPsec" (Keromytis/Leffler)
> stack in most BSD operating systems (in fact, all of them except OpenBSD,
> if they've changed it somehow).  AFAICT it offers everything one needs to
> require ESP or AH on a per-socket basis; is the implementation broken, or
> are we talking about an interface change, and if so, why?

The OpenBSD folks have done some reworking and added various features 
(like SADB_X_{ADD,DEL}FLOW), which I haven't looked into thoroughly. 
Jeff Rizzo has done some work in this area and probably can explain a 
bit more regarding this. Our implementation isn't necessarily broken, 
but it doesn't feature what the OpenBSD one has either. See 
bgpd/pfkey.c, the #ifdef'ed parts.

         Thomas E. Spanjaard

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.2 (NetBSD)