Subject: Re: hardware crypto (fwd)
To: None <>
From: Angelos D. Keromytis <>
List: tech-security
Date: 04/12/2000 13:04:26
  by with SMTP; 12 Apr 2000 17:11:53 -0000
	by (8.9.3/8.9.3) with ESMTP id NAA07717;
	Wed, 12 Apr 2000 13:04:26 -0400 (EDT)
Message-Id: <>
Cc: Bill Sommerfeld <>,,
Subject: Re: hardware crypto (fwd) 
In-reply-to: Your message of "Thu, 13 Apr 2000 00:31:14 +0900."
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 12 Apr 2000 13:04:26 -0400
From: "Angelos D. Keromytis" <>

>	I'll definitely need to look at openbsd.  after quick browse,
>	there's one major difference in kame-ipsec and openbsd-ipsec code
>	orientation.  in openbsd-ipsec a packet will visit ip_input or
>	ip_output more than once.  kame-ipsec tries to avoid it.
>	this makes some difference in creating ipsec processing queue.

On output, only twice; the second time a flag will be set that prevents
IPsec processing to happen again (to avoid loops). You're correct about