Subject: Re: Soc : FAST_IPSEC integration for ipv6
To: DEGROOTE Arnaud <>
From: Sam Leffler <>
List: tech-net
Date: 04/28/2006 09:32:42
DEGROOTE Arnaud wrote:
> Hi list.
> I'm really interested in working on a NetBSD summer of code, particulary
> the integration of fast_ipsec into the ipv6 stack.
> I have already some questions about it. I hope you can enlight me.
> It seems to have some INET6 code into the netipsec implementation. Can I
> trust this code or it is completely untested ? 

None of the ipv6 code is trustworthy.  The intent was to rewrite it 
along the lines of the ipv4 code.  There are numerous optimizations in 
the ipv4 code that should be applied to the ipv6 code path.

> The initial netipsec stack seems to share some code with the OpenBSD
> implementation of ipsec. Do you think I can check the implementation of
> ipsec in the current OpenBSD to have some idea how to integrate netipsec
> into our ip6 stack ?

Please read my bsdcan paper about fast ipsec (I think it was 2003; 
available at  You may be able to get some help by 
looking at the openbsd code but the two code bases are now rather 
different and you may find it simpler to refer to the kame ipv6 code in 
the tree than any openbsd code.

> The last thread about ipsec and fast-ipsec on tech-kern speaks about some
> odd problems with fast_ipsec ( some crash with ping and fast_ipsec ). Has
> the problem been resolved or may I resolve it during the SoC ( if I can, of
> course ) ?

Can't help you with that.