tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: reverse processing order: NAT, IPsec ?

On Fri, Jun 12, 2009 at 02:18:41PM -0500, David Young wrote:
> <soapbox>
> These difficulties sound like a symptom of the design flaw in NetBSD's
> IPsec that we should not repeat: hard-coding hooks in the IP input
> and output routines.  A design that re-used existing abstractions
> to provide building blocks to the operator---for example, an IPsec
> pseudo-interface where the IPsec processing occurs---would be more
> versatile and transparent, and it would spare us some complexity in the
> IP code.

OpenS/WAN did it this way on Linux.  It came with its own whole set of
nastinesses, notably a huge profusion of interfaces on any kind of busy
IPsec gateway.  I'm not sure it's really much better.


Home | Main Index | Thread Index | Old Index