tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh



    Date:        Mon, 11 Nov 2013 11:49:14 +0100
    From:        Arnaud Degroote <degroote%NetBSD.org@localhost>
    Message-ID:  <20131111104914.GB6456@bugfree>


  | If you want to use a programming interface instead of setkey, you can
  | use the function ipsec_set_policy (3) from libipsec which takes the same
  | kind of input than setkey (8).

Thanks, that does help a little - but that interface just seems to take
a textual description of the policy (which I don't have, but could produce
with a little sprintf'ing - though doing so seems a little perverse),
and converts it into a binary structure (that I could probably just fill
in with C assignment statements - the values for it should not be hard to find,
and don't in any way depend upon any external specification - just what
port numbers happen to have been assigned to my socket when it connected)

But, that doesn't tell me what to do with the structure when I have built
it, and I think that's really what I wanted to know.

  | Some low-level API exists, but are not documented.

That's what I was afraid of.   And I think it is that that I really need
to get access to.

  | Dig into libpfkey.h.

Thanks, but ... that shows me the structure used, which contains many
fields whose purpose is way beyond anything I can even guess at, and
prototypes for lots of functions whose purpose I have no idea of (I
have just taken a quick glance so far, but there look to be too many
for pure trial and error to ever come up with anything useful.)

  | The protocol used if PFKEY, as described in RFC 2367.
 
That probably helps more, thanks - do we believe that NetBSD supports
the interface in that RFC completely?

kre



Home | Main Index | Thread Index | Old Index