Hosting Provided By

Re: [Design] IPSec in 2.5 Kernel?

From: Ken Bantoft <ken(at)freeswan.ca>
Date: Wed Mar 19 2003 - 10:33:12 EST

-----BEGIN PGP SIGNED MESSAGE----- On Wed, 19 Mar 2003, Paul Wouters wrote:

> > Are you certain what the _current_ positons are in all cases, or

I've been lurking around (Paul forwarded me a bunch of emails from his exchanges) but I think I'll sort-of jump since, since I'm an unknown player.

Nothing has stopped anyone from forking FreeS/WAN into something like, say, Super FreeS/WAN, and including code that Hugh Daniel and John Gilmour don't agree with - like NAT Traversal, and 1DES. I've done it, you can do it, we can all do it.

> > As I see it, the FreeS/WAN project should now drop all effort

Yes, KLIPSv1 is, at best, an ugly hack. I've been reading JSD's mast papers, and that seems to be the best way to go from a technical persepctive, since it handles some of the soon-to-be more popular cases of assigning IP addresses to road warriors, and other cases with ease.

> > I believe the mainline stuff supports some undesirable "features"

That's the stance JuanJo and I have taken with ALG & Super FreeS/WAN patches. We now include 1DES support, but you must explicitly turn it on in the config, and it warns() each time the module is inserted into the kernel. Maybe we should taint() ?

Do you need help?

> Btw. I still don't see how pluto will get into big distro's, eg RedHat.

And of course... if different distros pick different userland tools, inter-op could be nothing shy of a nightmare. That's something I don't want to see happen, so I'll be starting to work with Kernel 2.5 IPSec in April to see how well it inter-ops with (Super) FreeS/WAN and some other IPSec enabled devices I have access to.

> > It is not enough to make Pluto run over 2.5 kernel IPsec.

Yes.

-- Ken Bantoft The Unoffical FreeS/WAN Site: ken(at)freeswan.ca http://www.freeswan.ca PGP Key: finger ken@bantoft.org "Random numbers should not be generated with a method chosen at random." -- Donald Knuth,

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPniNuliWUusaxGxpAQEsRgP/bBhZdh0vEyXCERBJh+8Quv2LSWCSVv3R b63KXepon5hNE57MrXpS3hBjq0mwSifYjhXfBEXUfNMkFjtQZNFEnpXoobbHTgJb L5j3BpbEeRQaq79Ad7k5EimZaxiWyfRV1sWv8o3U973x4DmnizL/Wo49kHXFJmLa P8xSP5rKZM4=
=nndu
-----END PGP SIGNATURE-----

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Wed Mar 19 11:10:58 2003

This message: [ Message body ]
Next message: Paul Wouters: "Re: [Design] IPSec in 2.5 Kernel?"
In reply to Paul Wouters: "Re: [Design] IPSec in 2.5 Kernel?"
Next in thread: Paul Wouters: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: Paul Wouters: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: John S. Denker: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: Derek Atkins: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: John S. Denker: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: John S. Denker: "Re: [Design] IPSec in 2.5 Kernel?"
Reply: John S. Denker: "Re: [Design] IPSec in 2.5 Kernel?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:57 EDT