Re: KAME IPsec vs Fast IPsec

To: Jason Thorpe <thorpej%shagadelic.org@localhost>
Subject: Re: KAME IPsec vs Fast IPsec
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Tue, 15 Apr 2008 16:44:32 -0400

On Tue, Apr 15, 2008 at 12:37:00PM -0700, Jason Thorpe wrote:
>
> What's the status of Fast IPsec being a completely replacement for  
> KAME IPsec?  If it has feature parity, is it time to dump KAME IPsec?

I believe there's one feature missing, which is support for
UDP-encapsulated ESP.  I believe FreeBSD has in fact nonetheless
dumped the KAME code at this point.

I have been putting a lot of work into the opencrypto code used by
Fast IPsec and would like to see a lot of duplicative crypto and
IPsec code go.  In a few cases (e.g. the iovec walking code in cgd,
which does not needlessly copy every request before encrypting it)
the code elsewhere in the tree is better than the opencrypto or
netipsec code, but as far as KAME IPsec itself I don't think that's
the case.

-- 
  Thor Lancelot Simon                                        
tls%rek.tjls.com@localhost

  "The inconsistency is startling, though admittedly, if consistency is to
   be abandoned or transcended, there is no problem."         - Noam Chomsky

Follow-Ups:
- Re: KAME IPsec vs Fast IPsec
  - From: Arnaud Degroote

References:
- KAME IPsec vs Fast IPsec
  - From: Jason Thorpe

Prev by Date: Re: ALTQ + vlan
Next by Date: Re: ALTQ + vlan
Previous by Thread: KAME IPsec vs Fast IPsec
Next by Thread: Re: KAME IPsec vs Fast IPsec
Indexes:

Home | Main Index | Thread Index | Old Index