Re: linux-ipsec: ANNOUNCE: FreeS/WAN IPSEC & IKE version 0.8 released & useful!

> > The 0.8 (and target 1.0 in June) runs only in a VPN (tunnel) mode...

The one-sentence answer is: sure it has tunnels, but it doesn't give us any convenient way to place a filter over the end of the tunnel. More generally, because the Linux networking code is not very modularized, it is very difficult to splice a new module into the packet-processing path without having to mess with the existing code.

We don't want to get into the business of having to distribute custom kernels. There is a high payoff in reduced hassles and improved usability for having something that drops into a standard Linux. Unfortunately, it's not easy to do that in the networking code, and our current solution lacks both elegance and generality. We're looking at alternatives. (The Linux kernel people know they've got a problem here, and with any luck it will get solved eventually, but we can't wait.)

No, ditching Linux and switching to OpenBSD is not an option for this project, tempting though it may be at times. Upper management is very firmly committed to GNU-style licensing, which limits us to Linux.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)