tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec vs ssh
Date: Mon, 11 Nov 2013 11:49:14 +0100
From: Arnaud Degroote <degroote%NetBSD.org@localhost>
Message-ID: <20131111104914.GB6456@bugfree>
| If you want to use a programming interface instead of setkey, you can
| use the function ipsec_set_policy (3) from libipsec which takes the same
| kind of input than setkey (8).
Thanks, that does help a little - but that interface just seems to take
a textual description of the policy (which I don't have, but could produce
with a little sprintf'ing - though doing so seems a little perverse),
and converts it into a binary structure (that I could probably just fill
in with C assignment statements - the values for it should not be hard to find,
and don't in any way depend upon any external specification - just what
port numbers happen to have been assigned to my socket when it connected)
But, that doesn't tell me what to do with the structure when I have built
it, and I think that's really what I wanted to know.
| Some low-level API exists, but are not documented.
That's what I was afraid of. And I think it is that that I really need
to get access to.
| Dig into libpfkey.h.
Thanks, but ... that shows me the structure used, which contains many
fields whose purpose is way beyond anything I can even guess at, and
prototypes for lots of functions whose purpose I have no idea of (I
have just taken a quick glance so far, but there look to be too many
for pure trial and error to ever come up with anything useful.)
| The protocol used if PFKEY, as described in RFC 2367.
That probably helps more, thanks - do we believe that NetBSD supports
the interface in that RFC completely?
kre
Home |
Main Index |
Thread Index |
Old Index