[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: reverse processing order: NAT, IPsec ?
On Fri, Jun 12, 2009 at 02:18:41PM -0500, David Young wrote:
> These difficulties sound like a symptom of the design flaw in NetBSD's
> IPsec that we should not repeat: hard-coding hooks in the IP input
> and output routines. A design that re-used existing abstractions
> to provide building blocks to the operator---for example, an IPsec
> pseudo-interface where the IPsec processing occurs---would be more
> versatile and transparent, and it would spare us some complexity in the
> IP code.
OpenS/WAN did it this way on Linux. It came with its own whole set of
nastinesses, notably a huge profusion of interfaces on any kind of busy
IPsec gateway. I'm not sure it's really much better.
Main Index |
Thread Index |