On Sun, Jan 22, 2006 at 01:59:49PM +0000, Thomas E. Spanjaard wrote:
>
> Note that IPsec ESP/AH authentication isn't operational yet, 
> as someone(*cough* riz *cough* ;)) needs to upgrade our IPsec/SA stuff 
> to what OpenBSD has.

What exactly is involved in this "upgrade"?  The interface in question
is standard across the KAME stack and the "fast IPsec" (Keromytis/Leffler)
stack in most BSD operating systems (in fact, all of them except OpenBSD,
if they've changed it somehow).  AFAICT it offers everything one needs to
require ESP or AH on a per-socket basis; is the implementation broken, or
are we talking about an interface change, and if so, why?

Thor