tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: KAME IPsec vs Fast IPsec
On Tue, Apr 15, 2008 at 12:37:00PM -0700, Jason Thorpe wrote:
>
> What's the status of Fast IPsec being a completely replacement for
> KAME IPsec? If it has feature parity, is it time to dump KAME IPsec?
I believe there's one feature missing, which is support for
UDP-encapsulated ESP. I believe FreeBSD has in fact nonetheless
dumped the KAME code at this point.
I have been putting a lot of work into the opencrypto code used by
Fast IPsec and would like to see a lot of duplicative crypto and
IPsec code go. In a few cases (e.g. the iovec walking code in cgd,
which does not needlessly copy every request before encrypting it)
the code elsewhere in the tree is better than the opencrypto or
netipsec code, but as far as KAME IPsec itself I don't think that's
the case.
--
Thor Lancelot Simon
tls%rek.tjls.com@localhost
"The inconsistency is startling, though admittedly, if consistency is to
be abandoned or transcended, there is no problem." - Noam Chomsky
Home |
Main Index |
Thread Index |
Old Index