Re: PFkey update to get recent racoon working on NetBSD

To: VANHULLEBUS Yvan <vanhu%NetBSD.org@localhost>, "Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)" <D.Zebralla%ape-net.com@localhost>
Subject: Re: PFkey update to get recent racoon working on NetBSD
From: jnemeth%victoria.tc.ca@localhost (John Nemeth)
Date: Sun, 31 Jan 2010 22:07:31 -0800

On May 13,  6:21am, VANHULLEBUS Yvan wrote:
} On Fri, Dec 18, 2009 at 03:12:36PM +0100, Daniel Zebralla (A.P.E. IT-Security 
- Hard- & Software Development) wrote:
} 
} > I've seen your mail at [1] that there were recent changes in racoon
} > that need equal changes to the kernek's PFkey interface.
} 
} Yep.
} 
} > I'm currently experiencing this problem with a recent racoon (taken
} > from NetBSD-current CVS) and a NetBSD 5.0 userland,
} > the problem that I see are repeatedly created phase2 SA entries as
} > described in [2] by Brett Lymn.
} 
} > Do you have any patches in this direction already, or can you
} > outline the work that needs to be done? 
} 
} Not actually, I still didn't found time to finish minor fixes and tou
} port it to NetBSD....
} I'll be on hollidays at the end of the week, I may have time to do at
} least most of that job in the next weeks.....
} 
} > Do you have files & revisions (or URLs to source-changes mails) for
} > FreeBSD?
} 
} Not so easy to track: the best way may be to get the diff
} between..... two patches !
} First one is the "old" patchset maintained for older versions,
} available at http://people.freebsd.org/~vanhu/NAT-T (use only patches
} without TEST or experimental, they will be the version closer to
} NetBSD's ones).
} 
} Second patchset is commit on FreeBSD's HEAD:
} http://svn.freebsd.org/viewvc/base?view=revision&revision=194062
} which mostly includes the "correct" version (well, there are still a
} few known bugs in specific situations, I'll have to make some test
} setups to be able to hunt them).

     I found this patchset and applied what appeared to be the
pertinent parts.  Unfortunately, the result was that racoon couldn't
communicate with the kernel.

} If someone starts porting that to NetBSD (don't forget that NetBSD
} still ships both IPSEC and FAST_IPSEC, work will need to be done

     They use common code for key management, so not a big deal.

} twice....), please let me know, that may avoid 2 guys doing the same
} job at the same time, and I can also give some hints, code review,
} etc....

     Does anything need to be done with racoon?  Do you have a detailed
description of the PFKey interface?  Any hints?  I have about three
months to finish this project for the application that I plan on using
NAT-T.  Not a huge rush, but I do need to get moving on it.

}-- End of excerpt from VANHULLEBUS Yvan

Follow-Ups:
- Re: PFkey update to get recent racoon working on NetBSD
  - From: VANHULLEBUS Yvan

References:
- Re: PFkey update to get recent racoon working on NetBSD
  - From: VANHULLEBUS Yvan

Prev by Date: Re: kernel level multilink PPP and maybe (re)porting FreeBSD netgraph
Next by Date: Re: PFkey update to get recent racoon working on NetBSD
Previous by Thread: Re: PFkey update to get recent racoon working on NetBSD
Next by Thread: Re: PFkey update to get recent racoon working on NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index