This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig38117677E44D021350494E6F
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Thor Lancelot Simon wrote:
> On Sun, Jan 22, 2006 at 01:59:49PM +0000, Thomas E. Spanjaard wrote:
>>Note that IPsec ESP/AH authentication isn't operational yet, 
>>as someone(*cough* riz *cough* ;)) needs to upgrade our IPsec/SA stuff 
>>to what OpenBSD has.
> What exactly is involved in this "upgrade"?  The interface in question
> is standard across the KAME stack and the "fast IPsec" (Keromytis/Leffler)
> stack in most BSD operating systems (in fact, all of them except OpenBSD,
> if they've changed it somehow).  AFAICT it offers everything one needs to
> require ESP or AH on a per-socket basis; is the implementation broken, or
> are we talking about an interface change, and if so, why?

The OpenBSD folks have done some reworking and added various features 
(like SADB_X_{ADD,DEL}FLOW), which I haven't looked into thoroughly. 
Jeff Rizzo has done some work in this area and probably can explain a 
bit more regarding this. Our implementation isn't necessarily broken, 
but it doesn't feature what the OpenBSD one has either. See 
bgpd/pfkey.c, the #ifdef'ed parts.

Cheers,
-- 
         Thomas E. Spanjaard
         tgen@netphreax.net

--------------enig38117677E44D021350494E6F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)

iD8DBQFD09a+6xCMwBJ+1+sRA9rDAJ9zoLFIiblaMFsr6XIfqAP+my9KJwCfUnLa
shwflgiuhA5/B9Mvv8mJSxk=
=wewu
-----END PGP SIGNATURE-----

--------------enig38117677E44D021350494E6F--