tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: KAME IPsec vs Fast IPsec

I want to know the plan of the extension header support in fast IPsec too.

I'm working on Mobile IPv6 that uses extension header and IPsec same time. The missing extension header support in one of the reason for me that I cannot move from KAME IPsec to fast IPsec.

Keiichi SHIMA
IIJ Research Laboratory <>
WIDE Project <>

On 2008/04/20, at 6:07, Jason Thorpe wrote:

What will it take to fix this last issue? I think it's time we had just one ipsec in the tree.

-- thorpej@iPhone

On Apr 19, 2008, at 2:53 AM, Arnaud Degroote <> wrote:

On Tue, Apr 15, 2008 at 04:44:32PM -0400, Thor Lancelot Simon wrote:
On Tue, Apr 15, 2008 at 12:37:00PM -0700, Jason Thorpe wrote:

What's the status of Fast IPsec being a completely replacement for
KAME IPsec? If it has feature parity, is it time to dump KAME IPsec?

I believe there's one feature missing, which is support for
UDP-encapsulated ESP.  I believe FreeBSD has in fact nonetheless
dumped the KAME code at this point.

fast_ipsec(4) supports UDP-encapsulated ESP via IPSEC_NAT_T options
since June 2007.

There are still an issue between "ipv6 extension header" and fast_ipsec.
But it is probably the last difference with Kame IPSec (if you don't
count the fact that kame ipsec is probably better tested)

Take cares.
Arnaud Degroote

Home | Main Index | Thread Index | Old Index