Re: [Design] IPSec in 2.5 Kernel?

john,

> Where are the scalability and usability issues

You still have not defined what you mean by "scalabilty and usability issues." Do you mean the number of simultaneous IKE SAs? # of IPsec SAs? Packets per second? Mb/s?

> I don't understand why having an spdadd command

in.te.grate \'int-*-.gra-t\ vb [L integratus, pp. of integrare, fr.

   integr-, integer] 1: to form into a whole : UNITE 2a: to unite with    something else 2b: to incorporate into a larger unit 3: to find the    ...

When I download the kernel from kernel.org, I want IPsec to be a part of the download. *THAT* is integrated. If I have to download the IPsec stack separately then I've already lost.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> > You cannot .... successfully route

It's bit me. It's bit Phil Karn. It's bit a number of other people I know. I guess we don't count as "most users", but it just doesn't work for relatively simple (but non-standard) network architectures.

> b) The issues are fixable.

Maybe, but nobody has fixed them yet -- and the frees/wan people wont accept _my_ fixes.

> Well, maybe I've got a giant blind spot, but I've

Could you please describe what you mean here? What do you mean by "automatically-keyed subnet-to-subnets[sic] VPN"? Can you point me at an architectural picture that described this?

I _presume_ what you mean is that you've got a VPN gateway at a central location and bunch of extruded subnets going to a bunch of satellite offices? I also presume that the satellite offices are "road warriors" with non-static IP addresses.

If automatic keying means OE, then no, it obviously cannot use it. If "automatic keying" means "IKE with RSA without pre-shared keys", then yes, it can do that (although only with X.509 certs).

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> I get 5 hits (none useful) from:

If my presumption is correct above, and if you are NOT talking about OE, then yes, this is a goal of the project. But really the immediate goals are getting standards-compliant and feature complete IPsec into the mainline Linux kernel and supporting applications.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com
_______________________________________________
Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design