Re: heads-up: IPSEC is now FAST_IPSEC

To: Matthias Drochner <M.Drochner%fz-juelich.de@localhost>
Subject: Re: heads-up: IPSEC is now FAST_IPSEC
From: "Jonathan A. Kollasch" <jakllsch%kollasch.net@localhost>
Date: Tue, 10 Jan 2012 12:23:08 -0600

On Mon, Jan 09, 2012 at 05:58:07PM +0100, Matthias Drochner wrote:
> 
> I've just made FAST_IPSEC the default implementation which gets
> used if the IPSEC kernel option is present.
> In common setups, it should work at least as good as the old
> (KAME) implementation. The new code has the potential to make
> use of crypto acceleration hardware, and to use multiple
> CPU cores. It also has some crypto algorithms updated, so
> it might solve interoperability problems (eg. if using
> AH with SHA2, or Camellia).
> There are still some open problems, in particular if PMTU
> discovery is used through a tunnel, or with IPv6 extension
> headers(*).
> 
> The old KAME implementation is still available through
> the KAME_IPSEC kernel option. The old IPSEC_ESP option
> is meaningless with (FAST_)IPSEC (ESP is always enabled)
> but still in effect with KAME_IPSEC.
> 
> I'd very much appreciate reports (positive or negative)
> about interoperability with non-NetBSD systems.
> 
> best regards
> Matthias
> 
> (*)There is a patch (by Arnaud Degroote) which adds proper
> extension header handling for IPv6. I have it ready for
> commit, I just don't know a good way to test it. If
> you can help, please speak up.

i386 ALL is broken, both ipsec and pf have a 'union sockaddr_union'.

Also, I doubt kern/34843 is fixed yet either.

        Jonathan Kollasch

Follow-Ups:
- Re: heads-up: IPSEC is now FAST_IPSEC
  - From: degroote

References:
- heads-up: IPSEC is now FAST_IPSEC
  - From: Matthias Drochner

Prev by Date: Re: Instability on amd64 -current
Next by Date: Re: heads-up: IPSEC is now FAST_IPSEC
Previous by Thread: heads-up: IPSEC is now FAST_IPSEC
Next by Thread: Re: heads-up: IPSEC is now FAST_IPSEC
Indexes:

Home | Main Index | Thread Index | Old Index