Re: [Design] IPSec in 2.5 Kernel?

From: Michael Richardson <mcr(at)sandelman.ottawa.on.ca>
Date: Thu Mar 20 2003 - 04:30:49 EST

-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Derek" == Derek Atkins <derek@ihtfp.com> writes:

    Derek> I'm not sure what kernel hooks you need for OE.  The existing code
    Derek> has the concept of "require ipsec" and "use ipsec"...  Require
    Derek> means that no non-IPsec packets will be passed; Use means that
    Derek> IPsec will be used if an SA exists.  I _believe_ that both Require
    Derek> and Use policies will signal IKE to start a negotiation, but I'd
    Derek> have to re-examine that code to verify.

  Require will cause the keying daemon to be kicked.   Use, on KAME/*BSD systems will *NOT*. If the key is already there, use it.

  OE requires that *every* new flow (source/dst pair) to get passed to the IKE daemon for possible keying. If no keying is possible, a "pass" policy is put in place.

  We intend to use Connection Tracking to do this in the future.   We realize that many find CT to be too slow for many uses, but figure that the NAT people will solve this faster than anything we might do instead. (A blessing about the existence of the NAT code in some way)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] 
mcr(at)sandelman.ottawa.on.ca 
http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPnmKR4qHRg3pndX9AQElXgQAgQB3YhhEABjomjBBMmtA7ovZBBtvDY+N eUkjMUBBHEGRpUYa1YTqMix6J7AkFycqGrpVePnwJhgYKRn/XwtBMCWCWcVv9AR/ 2aKO300hUGKVP1Lbdet+FcW3UdpBhr5J7jhDS7HJIlEeq0N4MPAq4GenTiTqF0ku MYTMy7Nr160=
=ixdc
-----END PGP SIGNATURE-----

---

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Thu Mar 20 05:05:26 2003