Re: Moving telnet/telnetd from base to pkgsrc

[Greg Troxel <gdt%lexort.com@localhost>]

> What's the deal wiht IPSEC?

The protoocol is called IPsec (and often miscapitalized), and our kernel
option is IPSEC.

> I've never used it, but I was under the impression it gives encryption
> for free for things that otherwise don't have it.

It provides confidentiality and data origin authentication at the IP
level, via a per-packet protocol called Encapsulating Security Protocol.

In this respect it is sort of like TLS, but operating at the IP layer
rather than the TCP layer.

However, implementations of it are OS services, rather than code in user
space.  (But the key management is in user space.)

> Do all the programs need to have ipsec-specific goo to use it? telnet
> does, as well as having its own encryption code.

No.  One configures the use of IPsec via Security Policy Database
entries, which in NetBSD are managed via setkey(8).

The encryption is telnet is I believe Kerberos.  Kerberos predates IPsec
by a lot, and is based on symmetric cryptography only (which is all that
was feasible in the early 80s).   As far as I know, Kerberos processing
is always done within the application program rather than being a kernel
service.