>>Added Files:
>>	basesrc/usr.sbin/racoon: Makefile Makefile.inc
>>	basesrc/usr.sbin/racoon/libpfkey: Makefile
>>	basesrc/usr.sbin/racoon/racoon: Makefile
>>Removed Files:
>>	basesrc/sbin/racoon: Makefile Makefile.inc
>>	basesrc/sbin/racoon/libpfkey: Makefile
>>	basesrc/sbin/racoon/racoon: Makefile
>>
>>Log Message:
>>move racoon build framework from sbin/racoon to usr.sbin/racoon.
>
>How does this affect hosts which mount /usr via NFS-over-IPSec?  Or is
>racoon not usable that early in the boot process for other reasons?

	as following note shows, we cannot use racoon to protect
	NFS-over-IPsec mounted /usr.  it is unfortunate, but footprint is
	rather big for static linkage (it has to link libcrypto as well as
	kerberos libraries).  please use manual keys during bootstrap.

itojun


	by coconut.itojun.org (8.9.3+3.2W/3.7W) with SMTP id OAA12470
	for <itojun@itojun.org>; Thu, 28 Dec 2000 14:13:35 +0900 (JST)
  by mail.netbsd.org with SMTP; 28 Dec 2000 05:12:52 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id OAA12431;
	Thu, 28 Dec 2000 14:12:47 +0900 (JST)
to: "Erik E. Fair" <fair@clock.org>, tech-net@netbsd.org,
        tech-crypto@netbsd.org
In-reply-to: itojun's message of Thu, 28 Dec 2000 14:05:28 JST.
      <12269.977979928@coconut.itojun.org>
Subject: Re: sbin/racoon
From: itojun@iijlab.net
Date: Thu, 28 Dec 2000 14:12:47 +0900
Message-ID: <12429.977980367@coconut.itojun.org>
Sender: tech-net-owner@netbsd.org


>>How bad is it on SPARC or Alpha?
>	the following result is for compilation without kerberos
>	(= no IKE with GSSAPI support).

	of course, another option is to put racoon under /usr/sbin,
	and accept the following drawbacks:
	- /usr has to be locally mounted, or
	- /usr has to be nfs mounted insecurely during bootstrap.
	  (after /usr got mounted, we can negotiate key by using
	  /usr/sbin/racoon)

itojun