tech-kern: Re: IPSEC in GENERIC

Subject: Re: IPSEC in GENERIC
To: Jonathan Stone <jonathan@Pescadero.dsg.stanford.edu>
From: Christos Zoulas <christos@zoulas.com>
List: tech-kern
Date: 02/22/2006 18:53:36
On Feb 22,  3:33pm, jonathan@Pescadero.dsg.stanford.edu (Jonathan Stone) wrote:
-- Subject: Re: IPSEC in GENERIC

| In message <20060222224551.GA8006@panix.com>,
| Thor Lancelot Simon writes:
| 
| >The FAST_IPSEC code is much more sensible: you define the FAST_IPSEC
| >option and you get the whole thing, not bits and pieces.  That you
| >can't specify options FAST_IPSEC and then conditionally compile in
| >parts of the KAME code (without the rest of it!) should not be
| >surprising, any more than that you can't attach an sd to an atabus.
| >
| >I find it really disappointing that new features continue to be
| >developed within NetBSD for the KAME stack, ignoring the FAST_IPSEC
| >stack entirely; it was my understanding when the FAST_IPSEC code was
| >imported that it was intended to replace the KAME stack, 
| 
| That was certainly the sentiment at the time. (See emails from Jason
| Thorpe, and others) But since no-one has ever stepped up to adding
| IPv6 support to FAST_IPSEC, that continues to be a showstopper. *I*
| certainly wouldn't ever propose we forcibly yank IPsec out from under
| those who choose to use IPv6+KAME-IPSec.
| 
| >and, at the
| >very least, I think that core should be requiring that new features
| >that _we_ add to the KAME stack also be added to the FAST_IPSEC stack
| >before they are committed, to avoid serious integration pain later on.
| 
| "Me too". But they aren't.  And after Christos' responses, one might
| legitimately begin to wonder whether Core grasps the issues, or not.

They are not integrated because the majority of people (that I know
of) don't use FAST_IPSEC. Maybe I don't understand the issues regarding
FAST_IPSEC, but how can you generalize and say that the rest of core
doesn't either?

It would have helped if someone made the statement when FAST_IPSEC
was imported that this was the preferred way and mark the old IPSEC
options for compatibility or IPV6 use. Then we could have put some
effort to fix the FAST_IPSEC pr's specially the 'ping -s 3000' where
anybody can crash the kernel. I am not saying that the KAME ipsec
code is bug free, but at least joe user cannot crash the kernel on
demand.

christos